1 // SPDX-License-Identifier: GPL-2.0-only
3 * Copyright (c) 2007-2009 Patrick McHardy <kaber@trash.net>
5 * Development of this code funded by Astaro AG (http://www.astaro.com/)
8 #include <linux/module.h>
9 #include <linux/init.h>
10 #include <linux/list.h>
11 #include <linux/skbuff.h>
12 #include <linux/netlink.h>
13 #include <linux/vmalloc.h>
14 #include <linux/rhashtable.h>
15 #include <linux/netfilter.h>
16 #include <linux/netfilter/nfnetlink.h>
17 #include <linux/netfilter/nf_tables.h>
18 #include <net/netfilter/nf_flow_table.h>
19 #include <net/netfilter/nf_tables_core.h>
20 #include <net/netfilter/nf_tables.h>
21 #include <net/netfilter/nf_tables_offload.h>
22 #include <net/net_namespace.h>
25 #define NFT_MODULE_AUTOLOAD_LIMIT (MODULE_NAME_LEN - sizeof("nft-expr-255-"))
27 static LIST_HEAD(nf_tables_expressions);
28 static LIST_HEAD(nf_tables_objects);
29 static LIST_HEAD(nf_tables_flowtables);
30 static LIST_HEAD(nf_tables_destroy_list);
31 static DEFINE_SPINLOCK(nf_tables_destroy_list_lock);
32 static u64 table_handle;
35 NFT_VALIDATE_SKIP = 0,
40 static struct rhltable nft_objname_ht;
42 static u32 nft_chain_hash(const void *data, u32 len, u32 seed);
43 static u32 nft_chain_hash_obj(const void *data, u32 len, u32 seed);
44 static int nft_chain_hash_cmp(struct rhashtable_compare_arg *, const void *);
46 static u32 nft_objname_hash(const void *data, u32 len, u32 seed);
47 static u32 nft_objname_hash_obj(const void *data, u32 len, u32 seed);
48 static int nft_objname_hash_cmp(struct rhashtable_compare_arg *, const void *);
50 static const struct rhashtable_params nft_chain_ht_params = {
51 .head_offset = offsetof(struct nft_chain, rhlhead),
52 .key_offset = offsetof(struct nft_chain, name),
53 .hashfn = nft_chain_hash,
54 .obj_hashfn = nft_chain_hash_obj,
55 .obj_cmpfn = nft_chain_hash_cmp,
56 .automatic_shrinking = true,
59 static const struct rhashtable_params nft_objname_ht_params = {
60 .head_offset = offsetof(struct nft_object, rhlhead),
61 .key_offset = offsetof(struct nft_object, key),
62 .hashfn = nft_objname_hash,
63 .obj_hashfn = nft_objname_hash_obj,
64 .obj_cmpfn = nft_objname_hash_cmp,
65 .automatic_shrinking = true,
68 static void nft_validate_state_update(struct net *net, u8 new_validate_state)
70 switch (net->nft.validate_state) {
71 case NFT_VALIDATE_SKIP:
72 WARN_ON_ONCE(new_validate_state == NFT_VALIDATE_DO);
74 case NFT_VALIDATE_NEED:
77 if (new_validate_state == NFT_VALIDATE_NEED)
81 net->nft.validate_state = new_validate_state;
83 static void nf_tables_trans_destroy_work(struct work_struct *w);
84 static DECLARE_WORK(trans_destroy_work, nf_tables_trans_destroy_work);
86 static void nft_ctx_init(struct nft_ctx *ctx,
88 const struct sk_buff *skb,
89 const struct nlmsghdr *nlh,
91 struct nft_table *table,
92 struct nft_chain *chain,
93 const struct nlattr * const *nla)
101 ctx->portid = NETLINK_CB(skb).portid;
102 ctx->report = nlmsg_report(nlh);
103 ctx->flags = nlh->nlmsg_flags;
104 ctx->seq = nlh->nlmsg_seq;
107 static struct nft_trans *nft_trans_alloc_gfp(const struct nft_ctx *ctx,
108 int msg_type, u32 size, gfp_t gfp)
110 struct nft_trans *trans;
112 trans = kzalloc(sizeof(struct nft_trans) + size, gfp);
116 trans->msg_type = msg_type;
122 static struct nft_trans *nft_trans_alloc(const struct nft_ctx *ctx,
123 int msg_type, u32 size)
125 return nft_trans_alloc_gfp(ctx, msg_type, size, GFP_KERNEL);
128 static void nft_trans_destroy(struct nft_trans *trans)
130 list_del(&trans->list);
134 static void nft_set_trans_bind(const struct nft_ctx *ctx, struct nft_set *set)
136 struct net *net = ctx->net;
137 struct nft_trans *trans;
139 if (!nft_set_is_anonymous(set))
142 list_for_each_entry_reverse(trans, &net->nft.commit_list, list) {
143 switch (trans->msg_type) {
145 if (nft_trans_set(trans) == set)
146 nft_trans_set_bound(trans) = true;
148 case NFT_MSG_NEWSETELEM:
149 if (nft_trans_elem_set(trans) == set)
150 nft_trans_elem_set_bound(trans) = true;
156 static int nft_netdev_register_hooks(struct net *net,
157 struct list_head *hook_list)
159 struct nft_hook *hook;
163 list_for_each_entry(hook, hook_list, list) {
164 err = nf_register_net_hook(net, &hook->ops);
173 list_for_each_entry(hook, hook_list, list) {
177 nf_unregister_net_hook(net, &hook->ops);
182 static void nft_netdev_unregister_hooks(struct net *net,
183 struct list_head *hook_list)
185 struct nft_hook *hook;
187 list_for_each_entry(hook, hook_list, list)
188 nf_unregister_net_hook(net, &hook->ops);
191 static int nft_register_basechain_hooks(struct net *net, int family,
192 struct nft_base_chain *basechain)
194 if (family == NFPROTO_NETDEV)
195 return nft_netdev_register_hooks(net, &basechain->hook_list);
197 return nf_register_net_hook(net, &basechain->ops);
200 static void nft_unregister_basechain_hooks(struct net *net, int family,
201 struct nft_base_chain *basechain)
203 if (family == NFPROTO_NETDEV)
204 nft_netdev_unregister_hooks(net, &basechain->hook_list);
206 nf_unregister_net_hook(net, &basechain->ops);
209 static int nf_tables_register_hook(struct net *net,
210 const struct nft_table *table,
211 struct nft_chain *chain)
213 struct nft_base_chain *basechain;
214 const struct nf_hook_ops *ops;
216 if (table->flags & NFT_TABLE_F_DORMANT ||
217 !nft_is_base_chain(chain))
220 basechain = nft_base_chain(chain);
221 ops = &basechain->ops;
223 if (basechain->type->ops_register)
224 return basechain->type->ops_register(net, ops);
226 return nft_register_basechain_hooks(net, table->family, basechain);
229 static void nf_tables_unregister_hook(struct net *net,
230 const struct nft_table *table,
231 struct nft_chain *chain)
233 struct nft_base_chain *basechain;
234 const struct nf_hook_ops *ops;
236 if (table->flags & NFT_TABLE_F_DORMANT ||
237 !nft_is_base_chain(chain))
239 basechain = nft_base_chain(chain);
240 ops = &basechain->ops;
242 if (basechain->type->ops_unregister)
243 return basechain->type->ops_unregister(net, ops);
245 nft_unregister_basechain_hooks(net, table->family, basechain);
248 static int nft_trans_table_add(struct nft_ctx *ctx, int msg_type)
250 struct nft_trans *trans;
252 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_table));
256 if (msg_type == NFT_MSG_NEWTABLE)
257 nft_activate_next(ctx->net, ctx->table);
259 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
263 static int nft_deltable(struct nft_ctx *ctx)
267 err = nft_trans_table_add(ctx, NFT_MSG_DELTABLE);
271 nft_deactivate_next(ctx->net, ctx->table);
275 static struct nft_trans *nft_trans_chain_add(struct nft_ctx *ctx, int msg_type)
277 struct nft_trans *trans;
279 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_chain));
281 return ERR_PTR(-ENOMEM);
283 if (msg_type == NFT_MSG_NEWCHAIN)
284 nft_activate_next(ctx->net, ctx->chain);
286 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
290 static int nft_delchain(struct nft_ctx *ctx)
292 struct nft_trans *trans;
294 trans = nft_trans_chain_add(ctx, NFT_MSG_DELCHAIN);
296 return PTR_ERR(trans);
299 nft_deactivate_next(ctx->net, ctx->chain);
304 static void nft_rule_expr_activate(const struct nft_ctx *ctx,
305 struct nft_rule *rule)
307 struct nft_expr *expr;
309 expr = nft_expr_first(rule);
310 while (expr != nft_expr_last(rule) && expr->ops) {
311 if (expr->ops->activate)
312 expr->ops->activate(ctx, expr);
314 expr = nft_expr_next(expr);
318 static void nft_rule_expr_deactivate(const struct nft_ctx *ctx,
319 struct nft_rule *rule,
320 enum nft_trans_phase phase)
322 struct nft_expr *expr;
324 expr = nft_expr_first(rule);
325 while (expr != nft_expr_last(rule) && expr->ops) {
326 if (expr->ops->deactivate)
327 expr->ops->deactivate(ctx, expr, phase);
329 expr = nft_expr_next(expr);
334 nf_tables_delrule_deactivate(struct nft_ctx *ctx, struct nft_rule *rule)
336 /* You cannot delete the same rule twice */
337 if (nft_is_active_next(ctx->net, rule)) {
338 nft_deactivate_next(ctx->net, rule);
345 static struct nft_trans *nft_trans_rule_add(struct nft_ctx *ctx, int msg_type,
346 struct nft_rule *rule)
348 struct nft_trans *trans;
350 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_rule));
354 if (msg_type == NFT_MSG_NEWRULE && ctx->nla[NFTA_RULE_ID] != NULL) {
355 nft_trans_rule_id(trans) =
356 ntohl(nla_get_be32(ctx->nla[NFTA_RULE_ID]));
358 nft_trans_rule(trans) = rule;
359 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
364 static int nft_delrule(struct nft_ctx *ctx, struct nft_rule *rule)
366 struct nft_flow_rule *flow;
367 struct nft_trans *trans;
370 trans = nft_trans_rule_add(ctx, NFT_MSG_DELRULE, rule);
374 if (ctx->chain->flags & NFT_CHAIN_HW_OFFLOAD) {
375 flow = nft_flow_rule_create(ctx->net, rule);
377 nft_trans_destroy(trans);
378 return PTR_ERR(flow);
381 nft_trans_flow_rule(trans) = flow;
384 err = nf_tables_delrule_deactivate(ctx, rule);
386 nft_trans_destroy(trans);
389 nft_rule_expr_deactivate(ctx, rule, NFT_TRANS_PREPARE);
394 static int nft_delrule_by_chain(struct nft_ctx *ctx)
396 struct nft_rule *rule;
399 list_for_each_entry(rule, &ctx->chain->rules, list) {
400 if (!nft_is_active_next(ctx->net, rule))
403 err = nft_delrule(ctx, rule);
410 static int nft_trans_set_add(const struct nft_ctx *ctx, int msg_type,
413 struct nft_trans *trans;
415 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_set));
419 if (msg_type == NFT_MSG_NEWSET && ctx->nla[NFTA_SET_ID] != NULL) {
420 nft_trans_set_id(trans) =
421 ntohl(nla_get_be32(ctx->nla[NFTA_SET_ID]));
422 nft_activate_next(ctx->net, set);
424 nft_trans_set(trans) = set;
425 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
430 static int nft_delset(const struct nft_ctx *ctx, struct nft_set *set)
434 err = nft_trans_set_add(ctx, NFT_MSG_DELSET, set);
438 nft_deactivate_next(ctx->net, set);
444 static int nft_trans_obj_add(struct nft_ctx *ctx, int msg_type,
445 struct nft_object *obj)
447 struct nft_trans *trans;
449 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_obj));
453 if (msg_type == NFT_MSG_NEWOBJ)
454 nft_activate_next(ctx->net, obj);
456 nft_trans_obj(trans) = obj;
457 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
462 static int nft_delobj(struct nft_ctx *ctx, struct nft_object *obj)
466 err = nft_trans_obj_add(ctx, NFT_MSG_DELOBJ, obj);
470 nft_deactivate_next(ctx->net, obj);
476 static int nft_trans_flowtable_add(struct nft_ctx *ctx, int msg_type,
477 struct nft_flowtable *flowtable)
479 struct nft_trans *trans;
481 trans = nft_trans_alloc(ctx, msg_type,
482 sizeof(struct nft_trans_flowtable));
486 if (msg_type == NFT_MSG_NEWFLOWTABLE)
487 nft_activate_next(ctx->net, flowtable);
489 nft_trans_flowtable(trans) = flowtable;
490 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
495 static int nft_delflowtable(struct nft_ctx *ctx,
496 struct nft_flowtable *flowtable)
500 err = nft_trans_flowtable_add(ctx, NFT_MSG_DELFLOWTABLE, flowtable);
504 nft_deactivate_next(ctx->net, flowtable);
514 static struct nft_table *nft_table_lookup(const struct net *net,
515 const struct nlattr *nla,
516 u8 family, u8 genmask)
518 struct nft_table *table;
521 return ERR_PTR(-EINVAL);
523 list_for_each_entry_rcu(table, &net->nft.tables, list,
524 lockdep_is_held(&net->nft.commit_mutex)) {
525 if (!nla_strcmp(nla, table->name) &&
526 table->family == family &&
527 nft_active_genmask(table, genmask))
531 return ERR_PTR(-ENOENT);
534 static struct nft_table *nft_table_lookup_byhandle(const struct net *net,
535 const struct nlattr *nla,
538 struct nft_table *table;
540 list_for_each_entry(table, &net->nft.tables, list) {
541 if (be64_to_cpu(nla_get_be64(nla)) == table->handle &&
542 nft_active_genmask(table, genmask))
546 return ERR_PTR(-ENOENT);
549 static inline u64 nf_tables_alloc_handle(struct nft_table *table)
551 return ++table->hgenerator;
554 static const struct nft_chain_type *chain_type[NFPROTO_NUMPROTO][NFT_CHAIN_T_MAX];
556 static const struct nft_chain_type *
557 __nft_chain_type_get(u8 family, enum nft_chain_types type)
559 if (family >= NFPROTO_NUMPROTO ||
560 type >= NFT_CHAIN_T_MAX)
563 return chain_type[family][type];
566 static const struct nft_chain_type *
567 __nf_tables_chain_type_lookup(const struct nlattr *nla, u8 family)
569 const struct nft_chain_type *type;
572 for (i = 0; i < NFT_CHAIN_T_MAX; i++) {
573 type = __nft_chain_type_get(family, i);
576 if (!nla_strcmp(nla, type->name))
582 struct nft_module_request {
583 struct list_head list;
584 char module[MODULE_NAME_LEN];
588 #ifdef CONFIG_MODULES
589 static int nft_request_module(struct net *net, const char *fmt, ...)
591 char module_name[MODULE_NAME_LEN];
592 struct nft_module_request *req;
597 ret = vsnprintf(module_name, MODULE_NAME_LEN, fmt, args);
599 if (ret >= MODULE_NAME_LEN)
602 list_for_each_entry(req, &net->nft.module_list, list) {
603 if (!strcmp(req->module, module_name)) {
607 /* A request to load this module already exists. */
612 req = kmalloc(sizeof(*req), GFP_KERNEL);
617 strlcpy(req->module, module_name, MODULE_NAME_LEN);
618 list_add_tail(&req->list, &net->nft.module_list);
624 static void lockdep_nfnl_nft_mutex_not_held(void)
626 #ifdef CONFIG_PROVE_LOCKING
627 WARN_ON_ONCE(lockdep_nfnl_is_held(NFNL_SUBSYS_NFTABLES));
631 static const struct nft_chain_type *
632 nf_tables_chain_type_lookup(struct net *net, const struct nlattr *nla,
633 u8 family, bool autoload)
635 const struct nft_chain_type *type;
637 type = __nf_tables_chain_type_lookup(nla, family);
641 lockdep_nfnl_nft_mutex_not_held();
642 #ifdef CONFIG_MODULES
644 if (nft_request_module(net, "nft-chain-%u-%.*s", family,
646 (const char *)nla_data(nla)) == -EAGAIN)
647 return ERR_PTR(-EAGAIN);
650 return ERR_PTR(-ENOENT);
653 static const struct nla_policy nft_table_policy[NFTA_TABLE_MAX + 1] = {
654 [NFTA_TABLE_NAME] = { .type = NLA_STRING,
655 .len = NFT_TABLE_MAXNAMELEN - 1 },
656 [NFTA_TABLE_FLAGS] = { .type = NLA_U32 },
657 [NFTA_TABLE_HANDLE] = { .type = NLA_U64 },
660 static int nf_tables_fill_table_info(struct sk_buff *skb, struct net *net,
661 u32 portid, u32 seq, int event, u32 flags,
662 int family, const struct nft_table *table)
664 struct nlmsghdr *nlh;
665 struct nfgenmsg *nfmsg;
667 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
668 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
670 goto nla_put_failure;
672 nfmsg = nlmsg_data(nlh);
673 nfmsg->nfgen_family = family;
674 nfmsg->version = NFNETLINK_V0;
675 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
677 if (nla_put_string(skb, NFTA_TABLE_NAME, table->name) ||
678 nla_put_be32(skb, NFTA_TABLE_FLAGS, htonl(table->flags)) ||
679 nla_put_be32(skb, NFTA_TABLE_USE, htonl(table->use)) ||
680 nla_put_be64(skb, NFTA_TABLE_HANDLE, cpu_to_be64(table->handle),
682 goto nla_put_failure;
688 nlmsg_trim(skb, nlh);
692 static void nf_tables_table_notify(const struct nft_ctx *ctx, int event)
698 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
701 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
705 err = nf_tables_fill_table_info(skb, ctx->net, ctx->portid, ctx->seq,
706 event, 0, ctx->family, ctx->table);
712 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
713 ctx->report, GFP_KERNEL);
716 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
719 static int nf_tables_dump_tables(struct sk_buff *skb,
720 struct netlink_callback *cb)
722 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
723 const struct nft_table *table;
724 unsigned int idx = 0, s_idx = cb->args[0];
725 struct net *net = sock_net(skb->sk);
726 int family = nfmsg->nfgen_family;
729 cb->seq = net->nft.base_seq;
731 list_for_each_entry_rcu(table, &net->nft.tables, list) {
732 if (family != NFPROTO_UNSPEC && family != table->family)
738 memset(&cb->args[1], 0,
739 sizeof(cb->args) - sizeof(cb->args[0]));
740 if (!nft_is_active(net, table))
742 if (nf_tables_fill_table_info(skb, net,
743 NETLINK_CB(cb->skb).portid,
745 NFT_MSG_NEWTABLE, NLM_F_MULTI,
746 table->family, table) < 0)
749 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
759 static int nft_netlink_dump_start_rcu(struct sock *nlsk, struct sk_buff *skb,
760 const struct nlmsghdr *nlh,
761 struct netlink_dump_control *c)
765 if (!try_module_get(THIS_MODULE))
769 err = netlink_dump_start(nlsk, skb, nlh, c);
771 module_put(THIS_MODULE);
776 /* called with rcu_read_lock held */
777 static int nf_tables_gettable(struct net *net, struct sock *nlsk,
778 struct sk_buff *skb, const struct nlmsghdr *nlh,
779 const struct nlattr * const nla[],
780 struct netlink_ext_ack *extack)
782 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
783 u8 genmask = nft_genmask_cur(net);
784 const struct nft_table *table;
785 struct sk_buff *skb2;
786 int family = nfmsg->nfgen_family;
789 if (nlh->nlmsg_flags & NLM_F_DUMP) {
790 struct netlink_dump_control c = {
791 .dump = nf_tables_dump_tables,
792 .module = THIS_MODULE,
795 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
798 table = nft_table_lookup(net, nla[NFTA_TABLE_NAME], family, genmask);
800 NL_SET_BAD_ATTR(extack, nla[NFTA_TABLE_NAME]);
801 return PTR_ERR(table);
804 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
808 err = nf_tables_fill_table_info(skb2, net, NETLINK_CB(skb).portid,
809 nlh->nlmsg_seq, NFT_MSG_NEWTABLE, 0,
814 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
821 static void nft_table_disable(struct net *net, struct nft_table *table, u32 cnt)
823 struct nft_chain *chain;
826 list_for_each_entry(chain, &table->chains, list) {
827 if (!nft_is_active_next(net, chain))
829 if (!nft_is_base_chain(chain))
832 if (cnt && i++ == cnt)
835 nft_unregister_basechain_hooks(net, table->family,
836 nft_base_chain(chain));
840 static int nf_tables_table_enable(struct net *net, struct nft_table *table)
842 struct nft_chain *chain;
845 list_for_each_entry(chain, &table->chains, list) {
846 if (!nft_is_active_next(net, chain))
848 if (!nft_is_base_chain(chain))
851 err = nft_register_basechain_hooks(net, table->family,
852 nft_base_chain(chain));
854 goto err_register_hooks;
862 nft_table_disable(net, table, i);
866 static void nf_tables_table_disable(struct net *net, struct nft_table *table)
868 nft_table_disable(net, table, 0);
871 static int nf_tables_updtable(struct nft_ctx *ctx)
873 struct nft_trans *trans;
877 if (!ctx->nla[NFTA_TABLE_FLAGS])
880 flags = ntohl(nla_get_be32(ctx->nla[NFTA_TABLE_FLAGS]));
881 if (flags & ~NFT_TABLE_F_DORMANT)
884 if (flags == ctx->table->flags)
887 trans = nft_trans_alloc(ctx, NFT_MSG_NEWTABLE,
888 sizeof(struct nft_trans_table));
892 if ((flags & NFT_TABLE_F_DORMANT) &&
893 !(ctx->table->flags & NFT_TABLE_F_DORMANT)) {
894 nft_trans_table_enable(trans) = false;
895 } else if (!(flags & NFT_TABLE_F_DORMANT) &&
896 ctx->table->flags & NFT_TABLE_F_DORMANT) {
897 ret = nf_tables_table_enable(ctx->net, ctx->table);
899 ctx->table->flags &= ~NFT_TABLE_F_DORMANT;
900 nft_trans_table_enable(trans) = true;
906 nft_trans_table_update(trans) = true;
907 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
910 nft_trans_destroy(trans);
914 static u32 nft_chain_hash(const void *data, u32 len, u32 seed)
916 const char *name = data;
918 return jhash(name, strlen(name), seed);
921 static u32 nft_chain_hash_obj(const void *data, u32 len, u32 seed)
923 const struct nft_chain *chain = data;
925 return nft_chain_hash(chain->name, 0, seed);
928 static int nft_chain_hash_cmp(struct rhashtable_compare_arg *arg,
931 const struct nft_chain *chain = ptr;
932 const char *name = arg->key;
934 return strcmp(chain->name, name);
937 static u32 nft_objname_hash(const void *data, u32 len, u32 seed)
939 const struct nft_object_hash_key *k = data;
941 seed ^= hash_ptr(k->table, 32);
943 return jhash(k->name, strlen(k->name), seed);
946 static u32 nft_objname_hash_obj(const void *data, u32 len, u32 seed)
948 const struct nft_object *obj = data;
950 return nft_objname_hash(&obj->key, 0, seed);
953 static int nft_objname_hash_cmp(struct rhashtable_compare_arg *arg,
956 const struct nft_object_hash_key *k = arg->key;
957 const struct nft_object *obj = ptr;
959 if (obj->key.table != k->table)
962 return strcmp(obj->key.name, k->name);
965 static int nf_tables_newtable(struct net *net, struct sock *nlsk,
966 struct sk_buff *skb, const struct nlmsghdr *nlh,
967 const struct nlattr * const nla[],
968 struct netlink_ext_ack *extack)
970 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
971 u8 genmask = nft_genmask_next(net);
972 int family = nfmsg->nfgen_family;
973 const struct nlattr *attr;
974 struct nft_table *table;
979 lockdep_assert_held(&net->nft.commit_mutex);
980 attr = nla[NFTA_TABLE_NAME];
981 table = nft_table_lookup(net, attr, family, genmask);
983 if (PTR_ERR(table) != -ENOENT)
984 return PTR_ERR(table);
986 if (nlh->nlmsg_flags & NLM_F_EXCL) {
987 NL_SET_BAD_ATTR(extack, attr);
990 if (nlh->nlmsg_flags & NLM_F_REPLACE)
993 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
994 return nf_tables_updtable(&ctx);
997 if (nla[NFTA_TABLE_FLAGS]) {
998 flags = ntohl(nla_get_be32(nla[NFTA_TABLE_FLAGS]));
999 if (flags & ~NFT_TABLE_F_DORMANT)
1004 table = kzalloc(sizeof(*table), GFP_KERNEL);
1008 table->name = nla_strdup(attr, GFP_KERNEL);
1009 if (table->name == NULL)
1012 err = rhltable_init(&table->chains_ht, &nft_chain_ht_params);
1016 INIT_LIST_HEAD(&table->chains);
1017 INIT_LIST_HEAD(&table->sets);
1018 INIT_LIST_HEAD(&table->objects);
1019 INIT_LIST_HEAD(&table->flowtables);
1020 table->family = family;
1021 table->flags = flags;
1022 table->handle = ++table_handle;
1024 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
1025 err = nft_trans_table_add(&ctx, NFT_MSG_NEWTABLE);
1029 list_add_tail_rcu(&table->list, &net->nft.tables);
1032 rhltable_destroy(&table->chains_ht);
1041 static int nft_flush_table(struct nft_ctx *ctx)
1043 struct nft_flowtable *flowtable, *nft;
1044 struct nft_chain *chain, *nc;
1045 struct nft_object *obj, *ne;
1046 struct nft_set *set, *ns;
1049 list_for_each_entry(chain, &ctx->table->chains, list) {
1050 if (!nft_is_active_next(ctx->net, chain))
1055 err = nft_delrule_by_chain(ctx);
1060 list_for_each_entry_safe(set, ns, &ctx->table->sets, list) {
1061 if (!nft_is_active_next(ctx->net, set))
1064 if (nft_set_is_anonymous(set) &&
1065 !list_empty(&set->bindings))
1068 err = nft_delset(ctx, set);
1073 list_for_each_entry_safe(flowtable, nft, &ctx->table->flowtables, list) {
1074 if (!nft_is_active_next(ctx->net, flowtable))
1077 err = nft_delflowtable(ctx, flowtable);
1082 list_for_each_entry_safe(obj, ne, &ctx->table->objects, list) {
1083 if (!nft_is_active_next(ctx->net, obj))
1086 err = nft_delobj(ctx, obj);
1091 list_for_each_entry_safe(chain, nc, &ctx->table->chains, list) {
1092 if (!nft_is_active_next(ctx->net, chain))
1097 err = nft_delchain(ctx);
1102 err = nft_deltable(ctx);
1107 static int nft_flush(struct nft_ctx *ctx, int family)
1109 struct nft_table *table, *nt;
1110 const struct nlattr * const *nla = ctx->nla;
1113 list_for_each_entry_safe(table, nt, &ctx->net->nft.tables, list) {
1114 if (family != AF_UNSPEC && table->family != family)
1117 ctx->family = table->family;
1119 if (!nft_is_active_next(ctx->net, table))
1122 if (nla[NFTA_TABLE_NAME] &&
1123 nla_strcmp(nla[NFTA_TABLE_NAME], table->name) != 0)
1128 err = nft_flush_table(ctx);
1136 static int nf_tables_deltable(struct net *net, struct sock *nlsk,
1137 struct sk_buff *skb, const struct nlmsghdr *nlh,
1138 const struct nlattr * const nla[],
1139 struct netlink_ext_ack *extack)
1141 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1142 u8 genmask = nft_genmask_next(net);
1143 int family = nfmsg->nfgen_family;
1144 const struct nlattr *attr;
1145 struct nft_table *table;
1148 nft_ctx_init(&ctx, net, skb, nlh, 0, NULL, NULL, nla);
1149 if (family == AF_UNSPEC ||
1150 (!nla[NFTA_TABLE_NAME] && !nla[NFTA_TABLE_HANDLE]))
1151 return nft_flush(&ctx, family);
1153 if (nla[NFTA_TABLE_HANDLE]) {
1154 attr = nla[NFTA_TABLE_HANDLE];
1155 table = nft_table_lookup_byhandle(net, attr, genmask);
1157 attr = nla[NFTA_TABLE_NAME];
1158 table = nft_table_lookup(net, attr, family, genmask);
1161 if (IS_ERR(table)) {
1162 NL_SET_BAD_ATTR(extack, attr);
1163 return PTR_ERR(table);
1166 if (nlh->nlmsg_flags & NLM_F_NONREC &&
1170 ctx.family = family;
1173 return nft_flush_table(&ctx);
1176 static void nf_tables_table_destroy(struct nft_ctx *ctx)
1178 if (WARN_ON(ctx->table->use > 0))
1181 rhltable_destroy(&ctx->table->chains_ht);
1182 kfree(ctx->table->name);
1186 void nft_register_chain_type(const struct nft_chain_type *ctype)
1188 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1189 if (WARN_ON(__nft_chain_type_get(ctype->family, ctype->type))) {
1190 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1193 chain_type[ctype->family][ctype->type] = ctype;
1194 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1196 EXPORT_SYMBOL_GPL(nft_register_chain_type);
1198 void nft_unregister_chain_type(const struct nft_chain_type *ctype)
1200 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1201 chain_type[ctype->family][ctype->type] = NULL;
1202 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1204 EXPORT_SYMBOL_GPL(nft_unregister_chain_type);
1210 static struct nft_chain *
1211 nft_chain_lookup_byhandle(const struct nft_table *table, u64 handle, u8 genmask)
1213 struct nft_chain *chain;
1215 list_for_each_entry(chain, &table->chains, list) {
1216 if (chain->handle == handle &&
1217 nft_active_genmask(chain, genmask))
1221 return ERR_PTR(-ENOENT);
1224 static bool lockdep_commit_lock_is_held(const struct net *net)
1226 #ifdef CONFIG_PROVE_LOCKING
1227 return lockdep_is_held(&net->nft.commit_mutex);
1233 static struct nft_chain *nft_chain_lookup(struct net *net,
1234 struct nft_table *table,
1235 const struct nlattr *nla, u8 genmask)
1237 char search[NFT_CHAIN_MAXNAMELEN + 1];
1238 struct rhlist_head *tmp, *list;
1239 struct nft_chain *chain;
1242 return ERR_PTR(-EINVAL);
1244 nla_strlcpy(search, nla, sizeof(search));
1246 WARN_ON(!rcu_read_lock_held() &&
1247 !lockdep_commit_lock_is_held(net));
1249 chain = ERR_PTR(-ENOENT);
1251 list = rhltable_lookup(&table->chains_ht, search, nft_chain_ht_params);
1255 rhl_for_each_entry_rcu(chain, tmp, list, rhlhead) {
1256 if (nft_active_genmask(chain, genmask))
1259 chain = ERR_PTR(-ENOENT);
1265 static const struct nla_policy nft_chain_policy[NFTA_CHAIN_MAX + 1] = {
1266 [NFTA_CHAIN_TABLE] = { .type = NLA_STRING,
1267 .len = NFT_TABLE_MAXNAMELEN - 1 },
1268 [NFTA_CHAIN_HANDLE] = { .type = NLA_U64 },
1269 [NFTA_CHAIN_NAME] = { .type = NLA_STRING,
1270 .len = NFT_CHAIN_MAXNAMELEN - 1 },
1271 [NFTA_CHAIN_HOOK] = { .type = NLA_NESTED },
1272 [NFTA_CHAIN_POLICY] = { .type = NLA_U32 },
1273 [NFTA_CHAIN_TYPE] = { .type = NLA_STRING,
1274 .len = NFT_MODULE_AUTOLOAD_LIMIT },
1275 [NFTA_CHAIN_COUNTERS] = { .type = NLA_NESTED },
1276 [NFTA_CHAIN_FLAGS] = { .type = NLA_U32 },
1279 static const struct nla_policy nft_hook_policy[NFTA_HOOK_MAX + 1] = {
1280 [NFTA_HOOK_HOOKNUM] = { .type = NLA_U32 },
1281 [NFTA_HOOK_PRIORITY] = { .type = NLA_U32 },
1282 [NFTA_HOOK_DEV] = { .type = NLA_STRING,
1283 .len = IFNAMSIZ - 1 },
1286 static int nft_dump_stats(struct sk_buff *skb, struct nft_stats __percpu *stats)
1288 struct nft_stats *cpu_stats, total;
1289 struct nlattr *nest;
1297 memset(&total, 0, sizeof(total));
1298 for_each_possible_cpu(cpu) {
1299 cpu_stats = per_cpu_ptr(stats, cpu);
1301 seq = u64_stats_fetch_begin_irq(&cpu_stats->syncp);
1302 pkts = cpu_stats->pkts;
1303 bytes = cpu_stats->bytes;
1304 } while (u64_stats_fetch_retry_irq(&cpu_stats->syncp, seq));
1306 total.bytes += bytes;
1308 nest = nla_nest_start_noflag(skb, NFTA_CHAIN_COUNTERS);
1310 goto nla_put_failure;
1312 if (nla_put_be64(skb, NFTA_COUNTER_PACKETS, cpu_to_be64(total.pkts),
1313 NFTA_COUNTER_PAD) ||
1314 nla_put_be64(skb, NFTA_COUNTER_BYTES, cpu_to_be64(total.bytes),
1316 goto nla_put_failure;
1318 nla_nest_end(skb, nest);
1325 static int nft_dump_basechain_hook(struct sk_buff *skb, int family,
1326 const struct nft_base_chain *basechain)
1328 const struct nf_hook_ops *ops = &basechain->ops;
1329 struct nft_hook *hook, *first = NULL;
1330 struct nlattr *nest, *nest_devs;
1333 nest = nla_nest_start_noflag(skb, NFTA_CHAIN_HOOK);
1335 goto nla_put_failure;
1336 if (nla_put_be32(skb, NFTA_HOOK_HOOKNUM, htonl(ops->hooknum)))
1337 goto nla_put_failure;
1338 if (nla_put_be32(skb, NFTA_HOOK_PRIORITY, htonl(ops->priority)))
1339 goto nla_put_failure;
1341 if (family == NFPROTO_NETDEV) {
1342 nest_devs = nla_nest_start_noflag(skb, NFTA_HOOK_DEVS);
1343 list_for_each_entry(hook, &basechain->hook_list, list) {
1347 if (nla_put_string(skb, NFTA_DEVICE_NAME,
1348 hook->ops.dev->name))
1349 goto nla_put_failure;
1352 nla_nest_end(skb, nest_devs);
1355 nla_put_string(skb, NFTA_HOOK_DEV, first->ops.dev->name))
1356 goto nla_put_failure;
1358 nla_nest_end(skb, nest);
1365 static int nf_tables_fill_chain_info(struct sk_buff *skb, struct net *net,
1366 u32 portid, u32 seq, int event, u32 flags,
1367 int family, const struct nft_table *table,
1368 const struct nft_chain *chain)
1370 struct nlmsghdr *nlh;
1371 struct nfgenmsg *nfmsg;
1373 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
1374 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
1376 goto nla_put_failure;
1378 nfmsg = nlmsg_data(nlh);
1379 nfmsg->nfgen_family = family;
1380 nfmsg->version = NFNETLINK_V0;
1381 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
1383 if (nla_put_string(skb, NFTA_CHAIN_TABLE, table->name))
1384 goto nla_put_failure;
1385 if (nla_put_be64(skb, NFTA_CHAIN_HANDLE, cpu_to_be64(chain->handle),
1387 goto nla_put_failure;
1388 if (nla_put_string(skb, NFTA_CHAIN_NAME, chain->name))
1389 goto nla_put_failure;
1391 if (nft_is_base_chain(chain)) {
1392 const struct nft_base_chain *basechain = nft_base_chain(chain);
1393 struct nft_stats __percpu *stats;
1395 if (nft_dump_basechain_hook(skb, family, basechain))
1396 goto nla_put_failure;
1398 if (nla_put_be32(skb, NFTA_CHAIN_POLICY,
1399 htonl(basechain->policy)))
1400 goto nla_put_failure;
1402 if (nla_put_string(skb, NFTA_CHAIN_TYPE, basechain->type->name))
1403 goto nla_put_failure;
1405 stats = rcu_dereference_check(basechain->stats,
1406 lockdep_commit_lock_is_held(net));
1407 if (nft_dump_stats(skb, stats))
1408 goto nla_put_failure;
1410 if ((chain->flags & NFT_CHAIN_HW_OFFLOAD) &&
1411 nla_put_be32(skb, NFTA_CHAIN_FLAGS,
1412 htonl(NFT_CHAIN_HW_OFFLOAD)))
1413 goto nla_put_failure;
1416 if (nla_put_be32(skb, NFTA_CHAIN_USE, htonl(chain->use)))
1417 goto nla_put_failure;
1419 nlmsg_end(skb, nlh);
1423 nlmsg_trim(skb, nlh);
1427 static void nf_tables_chain_notify(const struct nft_ctx *ctx, int event)
1429 struct sk_buff *skb;
1433 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
1436 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
1440 err = nf_tables_fill_chain_info(skb, ctx->net, ctx->portid, ctx->seq,
1441 event, 0, ctx->family, ctx->table,
1448 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
1449 ctx->report, GFP_KERNEL);
1452 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
1455 static int nf_tables_dump_chains(struct sk_buff *skb,
1456 struct netlink_callback *cb)
1458 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
1459 const struct nft_table *table;
1460 const struct nft_chain *chain;
1461 unsigned int idx = 0, s_idx = cb->args[0];
1462 struct net *net = sock_net(skb->sk);
1463 int family = nfmsg->nfgen_family;
1466 cb->seq = net->nft.base_seq;
1468 list_for_each_entry_rcu(table, &net->nft.tables, list) {
1469 if (family != NFPROTO_UNSPEC && family != table->family)
1472 list_for_each_entry_rcu(chain, &table->chains, list) {
1476 memset(&cb->args[1], 0,
1477 sizeof(cb->args) - sizeof(cb->args[0]));
1478 if (!nft_is_active(net, chain))
1480 if (nf_tables_fill_chain_info(skb, net,
1481 NETLINK_CB(cb->skb).portid,
1485 table->family, table,
1489 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
1500 /* called with rcu_read_lock held */
1501 static int nf_tables_getchain(struct net *net, struct sock *nlsk,
1502 struct sk_buff *skb, const struct nlmsghdr *nlh,
1503 const struct nlattr * const nla[],
1504 struct netlink_ext_ack *extack)
1506 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1507 u8 genmask = nft_genmask_cur(net);
1508 const struct nft_chain *chain;
1509 struct nft_table *table;
1510 struct sk_buff *skb2;
1511 int family = nfmsg->nfgen_family;
1514 if (nlh->nlmsg_flags & NLM_F_DUMP) {
1515 struct netlink_dump_control c = {
1516 .dump = nf_tables_dump_chains,
1517 .module = THIS_MODULE,
1520 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
1523 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask);
1524 if (IS_ERR(table)) {
1525 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
1526 return PTR_ERR(table);
1529 chain = nft_chain_lookup(net, table, nla[NFTA_CHAIN_NAME], genmask);
1530 if (IS_ERR(chain)) {
1531 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]);
1532 return PTR_ERR(chain);
1535 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
1539 err = nf_tables_fill_chain_info(skb2, net, NETLINK_CB(skb).portid,
1540 nlh->nlmsg_seq, NFT_MSG_NEWCHAIN, 0,
1541 family, table, chain);
1545 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
1552 static const struct nla_policy nft_counter_policy[NFTA_COUNTER_MAX + 1] = {
1553 [NFTA_COUNTER_PACKETS] = { .type = NLA_U64 },
1554 [NFTA_COUNTER_BYTES] = { .type = NLA_U64 },
1557 static struct nft_stats __percpu *nft_stats_alloc(const struct nlattr *attr)
1559 struct nlattr *tb[NFTA_COUNTER_MAX+1];
1560 struct nft_stats __percpu *newstats;
1561 struct nft_stats *stats;
1564 err = nla_parse_nested_deprecated(tb, NFTA_COUNTER_MAX, attr,
1565 nft_counter_policy, NULL);
1567 return ERR_PTR(err);
1569 if (!tb[NFTA_COUNTER_BYTES] || !tb[NFTA_COUNTER_PACKETS])
1570 return ERR_PTR(-EINVAL);
1572 newstats = netdev_alloc_pcpu_stats(struct nft_stats);
1573 if (newstats == NULL)
1574 return ERR_PTR(-ENOMEM);
1576 /* Restore old counters on this cpu, no problem. Per-cpu statistics
1577 * are not exposed to userspace.
1580 stats = this_cpu_ptr(newstats);
1581 stats->bytes = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_BYTES]));
1582 stats->pkts = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_PACKETS]));
1588 static void nft_chain_stats_replace(struct nft_trans *trans)
1590 struct nft_base_chain *chain = nft_base_chain(trans->ctx.chain);
1592 if (!nft_trans_chain_stats(trans))
1595 nft_trans_chain_stats(trans) =
1596 rcu_replace_pointer(chain->stats, nft_trans_chain_stats(trans),
1597 lockdep_commit_lock_is_held(trans->ctx.net));
1599 if (!nft_trans_chain_stats(trans))
1600 static_branch_inc(&nft_counters_enabled);
1603 static void nf_tables_chain_free_chain_rules(struct nft_chain *chain)
1605 struct nft_rule **g0 = rcu_dereference_raw(chain->rules_gen_0);
1606 struct nft_rule **g1 = rcu_dereference_raw(chain->rules_gen_1);
1612 /* should be NULL either via abort or via successful commit */
1613 WARN_ON_ONCE(chain->rules_next);
1614 kvfree(chain->rules_next);
1617 static void nf_tables_chain_destroy(struct nft_ctx *ctx)
1619 struct nft_chain *chain = ctx->chain;
1620 struct nft_hook *hook, *next;
1622 if (WARN_ON(chain->use > 0))
1625 /* no concurrent access possible anymore */
1626 nf_tables_chain_free_chain_rules(chain);
1628 if (nft_is_base_chain(chain)) {
1629 struct nft_base_chain *basechain = nft_base_chain(chain);
1631 if (ctx->family == NFPROTO_NETDEV) {
1632 list_for_each_entry_safe(hook, next,
1633 &basechain->hook_list, list) {
1634 list_del_rcu(&hook->list);
1635 kfree_rcu(hook, rcu);
1638 module_put(basechain->type->owner);
1639 if (rcu_access_pointer(basechain->stats)) {
1640 static_branch_dec(&nft_counters_enabled);
1641 free_percpu(rcu_dereference_raw(basechain->stats));
1651 static struct nft_hook *nft_netdev_hook_alloc(struct net *net,
1652 const struct nlattr *attr)
1654 struct net_device *dev;
1655 char ifname[IFNAMSIZ];
1656 struct nft_hook *hook;
1659 hook = kmalloc(sizeof(struct nft_hook), GFP_KERNEL);
1662 goto err_hook_alloc;
1665 nla_strlcpy(ifname, attr, IFNAMSIZ);
1666 dev = __dev_get_by_name(net, ifname);
1671 hook->ops.dev = dev;
1678 return ERR_PTR(err);
1681 static bool nft_hook_list_find(struct list_head *hook_list,
1682 const struct nft_hook *this)
1684 struct nft_hook *hook;
1686 list_for_each_entry(hook, hook_list, list) {
1687 if (this->ops.dev == hook->ops.dev)
1694 static int nf_tables_parse_netdev_hooks(struct net *net,
1695 const struct nlattr *attr,
1696 struct list_head *hook_list)
1698 struct nft_hook *hook, *next;
1699 const struct nlattr *tmp;
1700 int rem, n = 0, err;
1702 nla_for_each_nested(tmp, attr, rem) {
1703 if (nla_type(tmp) != NFTA_DEVICE_NAME) {
1708 hook = nft_netdev_hook_alloc(net, tmp);
1710 err = PTR_ERR(hook);
1713 if (nft_hook_list_find(hook_list, hook)) {
1718 list_add_tail(&hook->list, hook_list);
1721 if (n == NFT_NETDEVICE_MAX) {
1732 list_for_each_entry_safe(hook, next, hook_list, list) {
1733 list_del(&hook->list);
1739 struct nft_chain_hook {
1742 const struct nft_chain_type *type;
1743 struct list_head list;
1746 static int nft_chain_parse_netdev(struct net *net,
1747 struct nlattr *tb[],
1748 struct list_head *hook_list)
1750 struct nft_hook *hook;
1753 if (tb[NFTA_HOOK_DEV]) {
1754 hook = nft_netdev_hook_alloc(net, tb[NFTA_HOOK_DEV]);
1756 return PTR_ERR(hook);
1758 list_add_tail(&hook->list, hook_list);
1759 } else if (tb[NFTA_HOOK_DEVS]) {
1760 err = nf_tables_parse_netdev_hooks(net, tb[NFTA_HOOK_DEVS],
1771 static int nft_chain_parse_hook(struct net *net,
1772 const struct nlattr * const nla[],
1773 struct nft_chain_hook *hook, u8 family,
1776 struct nlattr *ha[NFTA_HOOK_MAX + 1];
1777 const struct nft_chain_type *type;
1780 lockdep_assert_held(&net->nft.commit_mutex);
1781 lockdep_nfnl_nft_mutex_not_held();
1783 err = nla_parse_nested_deprecated(ha, NFTA_HOOK_MAX,
1784 nla[NFTA_CHAIN_HOOK],
1785 nft_hook_policy, NULL);
1789 if (ha[NFTA_HOOK_HOOKNUM] == NULL ||
1790 ha[NFTA_HOOK_PRIORITY] == NULL)
1793 hook->num = ntohl(nla_get_be32(ha[NFTA_HOOK_HOOKNUM]));
1794 hook->priority = ntohl(nla_get_be32(ha[NFTA_HOOK_PRIORITY]));
1796 type = __nft_chain_type_get(family, NFT_CHAIN_T_DEFAULT);
1800 if (nla[NFTA_CHAIN_TYPE]) {
1801 type = nf_tables_chain_type_lookup(net, nla[NFTA_CHAIN_TYPE],
1804 return PTR_ERR(type);
1806 if (hook->num > NF_MAX_HOOKS || !(type->hook_mask & (1 << hook->num)))
1809 if (type->type == NFT_CHAIN_T_NAT &&
1810 hook->priority <= NF_IP_PRI_CONNTRACK)
1813 if (!try_module_get(type->owner))
1818 INIT_LIST_HEAD(&hook->list);
1819 if (family == NFPROTO_NETDEV) {
1820 err = nft_chain_parse_netdev(net, ha, &hook->list);
1822 module_put(type->owner);
1825 } else if (ha[NFTA_HOOK_DEV] || ha[NFTA_HOOK_DEVS]) {
1826 module_put(type->owner);
1833 static void nft_chain_release_hook(struct nft_chain_hook *hook)
1835 struct nft_hook *h, *next;
1837 list_for_each_entry_safe(h, next, &hook->list, list) {
1841 module_put(hook->type->owner);
1844 struct nft_rules_old {
1846 struct nft_rule **start;
1849 static struct nft_rule **nf_tables_chain_alloc_rules(const struct nft_chain *chain,
1852 if (alloc > INT_MAX)
1855 alloc += 1; /* NULL, ends rules */
1856 if (sizeof(struct nft_rule *) > INT_MAX / alloc)
1859 alloc *= sizeof(struct nft_rule *);
1860 alloc += sizeof(struct nft_rules_old);
1862 return kvmalloc(alloc, GFP_KERNEL);
1865 static void nft_basechain_hook_init(struct nf_hook_ops *ops, u8 family,
1866 const struct nft_chain_hook *hook,
1867 struct nft_chain *chain)
1870 ops->hooknum = hook->num;
1871 ops->priority = hook->priority;
1873 ops->hook = hook->type->hooks[ops->hooknum];
1876 static int nft_basechain_init(struct nft_base_chain *basechain, u8 family,
1877 struct nft_chain_hook *hook, u32 flags)
1879 struct nft_chain *chain;
1882 basechain->type = hook->type;
1883 INIT_LIST_HEAD(&basechain->hook_list);
1884 chain = &basechain->chain;
1886 if (family == NFPROTO_NETDEV) {
1887 list_splice_init(&hook->list, &basechain->hook_list);
1888 list_for_each_entry(h, &basechain->hook_list, list)
1889 nft_basechain_hook_init(&h->ops, family, hook, chain);
1891 basechain->ops.hooknum = hook->num;
1892 basechain->ops.priority = hook->priority;
1894 nft_basechain_hook_init(&basechain->ops, family, hook, chain);
1897 chain->flags |= NFT_BASE_CHAIN | flags;
1898 basechain->policy = NF_ACCEPT;
1899 if (chain->flags & NFT_CHAIN_HW_OFFLOAD &&
1900 nft_chain_offload_priority(basechain) < 0)
1903 flow_block_init(&basechain->flow_block);
1908 static int nf_tables_addchain(struct nft_ctx *ctx, u8 family, u8 genmask,
1909 u8 policy, u32 flags)
1911 const struct nlattr * const *nla = ctx->nla;
1912 struct nft_table *table = ctx->table;
1913 struct nft_base_chain *basechain;
1914 struct nft_stats __percpu *stats;
1915 struct net *net = ctx->net;
1916 struct nft_trans *trans;
1917 struct nft_chain *chain;
1918 struct nft_rule **rules;
1921 if (table->use == UINT_MAX)
1924 if (nla[NFTA_CHAIN_HOOK]) {
1925 struct nft_chain_hook hook;
1927 err = nft_chain_parse_hook(net, nla, &hook, family, true);
1931 basechain = kzalloc(sizeof(*basechain), GFP_KERNEL);
1932 if (basechain == NULL) {
1933 nft_chain_release_hook(&hook);
1936 chain = &basechain->chain;
1938 if (nla[NFTA_CHAIN_COUNTERS]) {
1939 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
1940 if (IS_ERR(stats)) {
1941 nft_chain_release_hook(&hook);
1943 return PTR_ERR(stats);
1945 rcu_assign_pointer(basechain->stats, stats);
1946 static_branch_inc(&nft_counters_enabled);
1949 err = nft_basechain_init(basechain, family, &hook, flags);
1951 nft_chain_release_hook(&hook);
1956 chain = kzalloc(sizeof(*chain), GFP_KERNEL);
1962 INIT_LIST_HEAD(&chain->rules);
1963 chain->handle = nf_tables_alloc_handle(table);
1964 chain->table = table;
1965 chain->name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL);
1971 rules = nf_tables_chain_alloc_rules(chain, 0);
1978 rcu_assign_pointer(chain->rules_gen_0, rules);
1979 rcu_assign_pointer(chain->rules_gen_1, rules);
1981 err = nf_tables_register_hook(net, table, chain);
1985 err = rhltable_insert_key(&table->chains_ht, chain->name,
1986 &chain->rhlhead, nft_chain_ht_params);
1990 trans = nft_trans_chain_add(ctx, NFT_MSG_NEWCHAIN);
1991 if (IS_ERR(trans)) {
1992 err = PTR_ERR(trans);
1993 rhltable_remove(&table->chains_ht, &chain->rhlhead,
1994 nft_chain_ht_params);
1998 nft_trans_chain_policy(trans) = NFT_CHAIN_POLICY_UNSET;
1999 if (nft_is_base_chain(chain))
2000 nft_trans_chain_policy(trans) = policy;
2003 list_add_tail_rcu(&chain->list, &table->chains);
2007 nf_tables_unregister_hook(net, table, chain);
2009 nf_tables_chain_destroy(ctx);
2014 static bool nft_hook_list_equal(struct list_head *hook_list1,
2015 struct list_head *hook_list2)
2017 struct nft_hook *hook;
2021 list_for_each_entry(hook, hook_list2, list) {
2022 if (!nft_hook_list_find(hook_list1, hook))
2027 list_for_each_entry(hook, hook_list1, list)
2033 static int nf_tables_updchain(struct nft_ctx *ctx, u8 genmask, u8 policy,
2036 const struct nlattr * const *nla = ctx->nla;
2037 struct nft_table *table = ctx->table;
2038 struct nft_chain *chain = ctx->chain;
2039 struct nft_base_chain *basechain;
2040 struct nft_stats *stats = NULL;
2041 struct nft_chain_hook hook;
2042 struct nf_hook_ops *ops;
2043 struct nft_trans *trans;
2046 if (chain->flags ^ flags)
2049 if (nla[NFTA_CHAIN_HOOK]) {
2050 if (!nft_is_base_chain(chain))
2053 err = nft_chain_parse_hook(ctx->net, nla, &hook, ctx->family,
2058 basechain = nft_base_chain(chain);
2059 if (basechain->type != hook.type) {
2060 nft_chain_release_hook(&hook);
2064 if (ctx->family == NFPROTO_NETDEV) {
2065 if (!nft_hook_list_equal(&basechain->hook_list,
2067 nft_chain_release_hook(&hook);
2071 ops = &basechain->ops;
2072 if (ops->hooknum != hook.num ||
2073 ops->priority != hook.priority) {
2074 nft_chain_release_hook(&hook);
2078 nft_chain_release_hook(&hook);
2081 if (nla[NFTA_CHAIN_HANDLE] &&
2082 nla[NFTA_CHAIN_NAME]) {
2083 struct nft_chain *chain2;
2085 chain2 = nft_chain_lookup(ctx->net, table,
2086 nla[NFTA_CHAIN_NAME], genmask);
2087 if (!IS_ERR(chain2))
2091 if (nla[NFTA_CHAIN_COUNTERS]) {
2092 if (!nft_is_base_chain(chain))
2095 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
2097 return PTR_ERR(stats);
2101 trans = nft_trans_alloc(ctx, NFT_MSG_NEWCHAIN,
2102 sizeof(struct nft_trans_chain));
2106 nft_trans_chain_stats(trans) = stats;
2107 nft_trans_chain_update(trans) = true;
2109 if (nla[NFTA_CHAIN_POLICY])
2110 nft_trans_chain_policy(trans) = policy;
2112 nft_trans_chain_policy(trans) = -1;
2114 if (nla[NFTA_CHAIN_HANDLE] &&
2115 nla[NFTA_CHAIN_NAME]) {
2116 struct nft_trans *tmp;
2120 name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL);
2125 list_for_each_entry(tmp, &ctx->net->nft.commit_list, list) {
2126 if (tmp->msg_type == NFT_MSG_NEWCHAIN &&
2127 tmp->ctx.table == table &&
2128 nft_trans_chain_update(tmp) &&
2129 nft_trans_chain_name(tmp) &&
2130 strcmp(name, nft_trans_chain_name(tmp)) == 0) {
2136 nft_trans_chain_name(trans) = name;
2138 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
2147 static int nf_tables_newchain(struct net *net, struct sock *nlsk,
2148 struct sk_buff *skb, const struct nlmsghdr *nlh,
2149 const struct nlattr * const nla[],
2150 struct netlink_ext_ack *extack)
2152 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2153 u8 genmask = nft_genmask_next(net);
2154 int family = nfmsg->nfgen_family;
2155 const struct nlattr *attr;
2156 struct nft_table *table;
2157 struct nft_chain *chain;
2158 u8 policy = NF_ACCEPT;
2163 lockdep_assert_held(&net->nft.commit_mutex);
2165 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask);
2166 if (IS_ERR(table)) {
2167 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
2168 return PTR_ERR(table);
2172 attr = nla[NFTA_CHAIN_NAME];
2174 if (nla[NFTA_CHAIN_HANDLE]) {
2175 handle = be64_to_cpu(nla_get_be64(nla[NFTA_CHAIN_HANDLE]));
2176 chain = nft_chain_lookup_byhandle(table, handle, genmask);
2177 if (IS_ERR(chain)) {
2178 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_HANDLE]);
2179 return PTR_ERR(chain);
2181 attr = nla[NFTA_CHAIN_HANDLE];
2183 chain = nft_chain_lookup(net, table, attr, genmask);
2184 if (IS_ERR(chain)) {
2185 if (PTR_ERR(chain) != -ENOENT) {
2186 NL_SET_BAD_ATTR(extack, attr);
2187 return PTR_ERR(chain);
2193 if (nla[NFTA_CHAIN_POLICY]) {
2194 if (chain != NULL &&
2195 !nft_is_base_chain(chain)) {
2196 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_POLICY]);
2200 if (chain == NULL &&
2201 nla[NFTA_CHAIN_HOOK] == NULL) {
2202 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_POLICY]);
2206 policy = ntohl(nla_get_be32(nla[NFTA_CHAIN_POLICY]));
2216 if (nla[NFTA_CHAIN_FLAGS])
2217 flags = ntohl(nla_get_be32(nla[NFTA_CHAIN_FLAGS]));
2219 flags = chain->flags;
2221 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
2223 if (chain != NULL) {
2224 if (nlh->nlmsg_flags & NLM_F_EXCL) {
2225 NL_SET_BAD_ATTR(extack, attr);
2228 if (nlh->nlmsg_flags & NLM_F_REPLACE)
2231 flags |= chain->flags & NFT_BASE_CHAIN;
2232 return nf_tables_updchain(&ctx, genmask, policy, flags);
2235 return nf_tables_addchain(&ctx, family, genmask, policy, flags);
2238 static int nf_tables_delchain(struct net *net, struct sock *nlsk,
2239 struct sk_buff *skb, const struct nlmsghdr *nlh,
2240 const struct nlattr * const nla[],
2241 struct netlink_ext_ack *extack)
2243 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2244 u8 genmask = nft_genmask_next(net);
2245 int family = nfmsg->nfgen_family;
2246 const struct nlattr *attr;
2247 struct nft_table *table;
2248 struct nft_chain *chain;
2249 struct nft_rule *rule;
2255 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask);
2256 if (IS_ERR(table)) {
2257 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
2258 return PTR_ERR(table);
2261 if (nla[NFTA_CHAIN_HANDLE]) {
2262 attr = nla[NFTA_CHAIN_HANDLE];
2263 handle = be64_to_cpu(nla_get_be64(attr));
2264 chain = nft_chain_lookup_byhandle(table, handle, genmask);
2266 attr = nla[NFTA_CHAIN_NAME];
2267 chain = nft_chain_lookup(net, table, attr, genmask);
2269 if (IS_ERR(chain)) {
2270 NL_SET_BAD_ATTR(extack, attr);
2271 return PTR_ERR(chain);
2274 if (nlh->nlmsg_flags & NLM_F_NONREC &&
2278 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
2281 list_for_each_entry(rule, &chain->rules, list) {
2282 if (!nft_is_active_next(net, rule))
2286 err = nft_delrule(&ctx, rule);
2291 /* There are rules and elements that are still holding references to us,
2292 * we cannot do a recursive removal in this case.
2295 NL_SET_BAD_ATTR(extack, attr);
2299 return nft_delchain(&ctx);
2307 * nft_register_expr - register nf_tables expr type
2310 * Registers the expr type for use with nf_tables. Returns zero on
2311 * success or a negative errno code otherwise.
2313 int nft_register_expr(struct nft_expr_type *type)
2315 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2316 if (type->family == NFPROTO_UNSPEC)
2317 list_add_tail_rcu(&type->list, &nf_tables_expressions);
2319 list_add_rcu(&type->list, &nf_tables_expressions);
2320 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2323 EXPORT_SYMBOL_GPL(nft_register_expr);
2326 * nft_unregister_expr - unregister nf_tables expr type
2329 * Unregisters the expr typefor use with nf_tables.
2331 void nft_unregister_expr(struct nft_expr_type *type)
2333 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2334 list_del_rcu(&type->list);
2335 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2337 EXPORT_SYMBOL_GPL(nft_unregister_expr);
2339 static const struct nft_expr_type *__nft_expr_type_get(u8 family,
2342 const struct nft_expr_type *type, *candidate = NULL;
2344 list_for_each_entry(type, &nf_tables_expressions, list) {
2345 if (!nla_strcmp(nla, type->name)) {
2346 if (!type->family && !candidate)
2348 else if (type->family == family)
2355 #ifdef CONFIG_MODULES
2356 static int nft_expr_type_request_module(struct net *net, u8 family,
2359 if (nft_request_module(net, "nft-expr-%u-%.*s", family,
2360 nla_len(nla), (char *)nla_data(nla)) == -EAGAIN)
2367 static const struct nft_expr_type *nft_expr_type_get(struct net *net,
2371 const struct nft_expr_type *type;
2374 return ERR_PTR(-EINVAL);
2376 type = __nft_expr_type_get(family, nla);
2377 if (type != NULL && try_module_get(type->owner))
2380 lockdep_nfnl_nft_mutex_not_held();
2381 #ifdef CONFIG_MODULES
2383 if (nft_expr_type_request_module(net, family, nla) == -EAGAIN)
2384 return ERR_PTR(-EAGAIN);
2386 if (nft_request_module(net, "nft-expr-%.*s",
2388 (char *)nla_data(nla)) == -EAGAIN)
2389 return ERR_PTR(-EAGAIN);
2392 return ERR_PTR(-ENOENT);
2395 static const struct nla_policy nft_expr_policy[NFTA_EXPR_MAX + 1] = {
2396 [NFTA_EXPR_NAME] = { .type = NLA_STRING,
2397 .len = NFT_MODULE_AUTOLOAD_LIMIT },
2398 [NFTA_EXPR_DATA] = { .type = NLA_NESTED },
2401 static int nf_tables_fill_expr_info(struct sk_buff *skb,
2402 const struct nft_expr *expr)
2404 if (nla_put_string(skb, NFTA_EXPR_NAME, expr->ops->type->name))
2405 goto nla_put_failure;
2407 if (expr->ops->dump) {
2408 struct nlattr *data = nla_nest_start_noflag(skb,
2411 goto nla_put_failure;
2412 if (expr->ops->dump(skb, expr) < 0)
2413 goto nla_put_failure;
2414 nla_nest_end(skb, data);
2423 int nft_expr_dump(struct sk_buff *skb, unsigned int attr,
2424 const struct nft_expr *expr)
2426 struct nlattr *nest;
2428 nest = nla_nest_start_noflag(skb, attr);
2430 goto nla_put_failure;
2431 if (nf_tables_fill_expr_info(skb, expr) < 0)
2432 goto nla_put_failure;
2433 nla_nest_end(skb, nest);
2440 struct nft_expr_info {
2441 const struct nft_expr_ops *ops;
2442 struct nlattr *tb[NFT_EXPR_MAXATTR + 1];
2445 static int nf_tables_expr_parse(const struct nft_ctx *ctx,
2446 const struct nlattr *nla,
2447 struct nft_expr_info *info)
2449 const struct nft_expr_type *type;
2450 const struct nft_expr_ops *ops;
2451 struct nlattr *tb[NFTA_EXPR_MAX + 1];
2454 err = nla_parse_nested_deprecated(tb, NFTA_EXPR_MAX, nla,
2455 nft_expr_policy, NULL);
2459 type = nft_expr_type_get(ctx->net, ctx->family, tb[NFTA_EXPR_NAME]);
2461 return PTR_ERR(type);
2463 if (tb[NFTA_EXPR_DATA]) {
2464 err = nla_parse_nested_deprecated(info->tb, type->maxattr,
2466 type->policy, NULL);
2470 memset(info->tb, 0, sizeof(info->tb[0]) * (type->maxattr + 1));
2472 if (type->select_ops != NULL) {
2473 ops = type->select_ops(ctx,
2474 (const struct nlattr * const *)info->tb);
2477 #ifdef CONFIG_MODULES
2479 if (nft_expr_type_request_module(ctx->net,
2481 tb[NFTA_EXPR_NAME]) != -EAGAIN)
2493 module_put(type->owner);
2497 static int nf_tables_newexpr(const struct nft_ctx *ctx,
2498 const struct nft_expr_info *info,
2499 struct nft_expr *expr)
2501 const struct nft_expr_ops *ops = info->ops;
2506 err = ops->init(ctx, expr, (const struct nlattr **)info->tb);
2517 static void nf_tables_expr_destroy(const struct nft_ctx *ctx,
2518 struct nft_expr *expr)
2520 const struct nft_expr_type *type = expr->ops->type;
2522 if (expr->ops->destroy)
2523 expr->ops->destroy(ctx, expr);
2524 module_put(type->owner);
2527 static struct nft_expr *nft_expr_init(const struct nft_ctx *ctx,
2528 const struct nlattr *nla)
2530 struct nft_expr_info info;
2531 struct nft_expr *expr;
2532 struct module *owner;
2535 err = nf_tables_expr_parse(ctx, nla, &info);
2540 expr = kzalloc(info.ops->size, GFP_KERNEL);
2544 err = nf_tables_newexpr(ctx, &info, expr);
2552 owner = info.ops->type->owner;
2553 if (info.ops->type->release_ops)
2554 info.ops->type->release_ops(info.ops);
2558 return ERR_PTR(err);
2561 int nft_expr_clone(struct nft_expr *dst, struct nft_expr *src)
2565 if (src->ops->clone) {
2566 dst->ops = src->ops;
2567 err = src->ops->clone(dst, src);
2571 memcpy(dst, src, src->ops->size);
2574 __module_get(src->ops->type->owner);
2579 void nft_expr_destroy(const struct nft_ctx *ctx, struct nft_expr *expr)
2581 nf_tables_expr_destroy(ctx, expr);
2589 static struct nft_rule *__nft_rule_lookup(const struct nft_chain *chain,
2592 struct nft_rule *rule;
2594 // FIXME: this sucks
2595 list_for_each_entry_rcu(rule, &chain->rules, list) {
2596 if (handle == rule->handle)
2600 return ERR_PTR(-ENOENT);
2603 static struct nft_rule *nft_rule_lookup(const struct nft_chain *chain,
2604 const struct nlattr *nla)
2607 return ERR_PTR(-EINVAL);
2609 return __nft_rule_lookup(chain, be64_to_cpu(nla_get_be64(nla)));
2612 static const struct nla_policy nft_rule_policy[NFTA_RULE_MAX + 1] = {
2613 [NFTA_RULE_TABLE] = { .type = NLA_STRING,
2614 .len = NFT_TABLE_MAXNAMELEN - 1 },
2615 [NFTA_RULE_CHAIN] = { .type = NLA_STRING,
2616 .len = NFT_CHAIN_MAXNAMELEN - 1 },
2617 [NFTA_RULE_HANDLE] = { .type = NLA_U64 },
2618 [NFTA_RULE_EXPRESSIONS] = { .type = NLA_NESTED },
2619 [NFTA_RULE_COMPAT] = { .type = NLA_NESTED },
2620 [NFTA_RULE_POSITION] = { .type = NLA_U64 },
2621 [NFTA_RULE_USERDATA] = { .type = NLA_BINARY,
2622 .len = NFT_USERDATA_MAXLEN },
2623 [NFTA_RULE_ID] = { .type = NLA_U32 },
2624 [NFTA_RULE_POSITION_ID] = { .type = NLA_U32 },
2627 static int nf_tables_fill_rule_info(struct sk_buff *skb, struct net *net,
2628 u32 portid, u32 seq, int event,
2629 u32 flags, int family,
2630 const struct nft_table *table,
2631 const struct nft_chain *chain,
2632 const struct nft_rule *rule,
2633 const struct nft_rule *prule)
2635 struct nlmsghdr *nlh;
2636 struct nfgenmsg *nfmsg;
2637 const struct nft_expr *expr, *next;
2638 struct nlattr *list;
2639 u16 type = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
2641 nlh = nlmsg_put(skb, portid, seq, type, sizeof(struct nfgenmsg), flags);
2643 goto nla_put_failure;
2645 nfmsg = nlmsg_data(nlh);
2646 nfmsg->nfgen_family = family;
2647 nfmsg->version = NFNETLINK_V0;
2648 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
2650 if (nla_put_string(skb, NFTA_RULE_TABLE, table->name))
2651 goto nla_put_failure;
2652 if (nla_put_string(skb, NFTA_RULE_CHAIN, chain->name))
2653 goto nla_put_failure;
2654 if (nla_put_be64(skb, NFTA_RULE_HANDLE, cpu_to_be64(rule->handle),
2656 goto nla_put_failure;
2658 if (event != NFT_MSG_DELRULE && prule) {
2659 if (nla_put_be64(skb, NFTA_RULE_POSITION,
2660 cpu_to_be64(prule->handle),
2662 goto nla_put_failure;
2665 list = nla_nest_start_noflag(skb, NFTA_RULE_EXPRESSIONS);
2667 goto nla_put_failure;
2668 nft_rule_for_each_expr(expr, next, rule) {
2669 if (nft_expr_dump(skb, NFTA_LIST_ELEM, expr) < 0)
2670 goto nla_put_failure;
2672 nla_nest_end(skb, list);
2675 struct nft_userdata *udata = nft_userdata(rule);
2676 if (nla_put(skb, NFTA_RULE_USERDATA, udata->len + 1,
2678 goto nla_put_failure;
2681 nlmsg_end(skb, nlh);
2685 nlmsg_trim(skb, nlh);
2689 static void nf_tables_rule_notify(const struct nft_ctx *ctx,
2690 const struct nft_rule *rule, int event)
2692 struct sk_buff *skb;
2696 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
2699 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
2703 err = nf_tables_fill_rule_info(skb, ctx->net, ctx->portid, ctx->seq,
2704 event, 0, ctx->family, ctx->table,
2705 ctx->chain, rule, NULL);
2711 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
2712 ctx->report, GFP_KERNEL);
2715 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
2718 struct nft_rule_dump_ctx {
2723 static int __nf_tables_dump_rules(struct sk_buff *skb,
2725 struct netlink_callback *cb,
2726 const struct nft_table *table,
2727 const struct nft_chain *chain)
2729 struct net *net = sock_net(skb->sk);
2730 const struct nft_rule *rule, *prule;
2731 unsigned int s_idx = cb->args[0];
2734 list_for_each_entry_rcu(rule, &chain->rules, list) {
2735 if (!nft_is_active(net, rule))
2740 memset(&cb->args[1], 0,
2741 sizeof(cb->args) - sizeof(cb->args[0]));
2743 if (nf_tables_fill_rule_info(skb, net, NETLINK_CB(cb->skb).portid,
2746 NLM_F_MULTI | NLM_F_APPEND,
2748 table, chain, rule, prule) < 0)
2751 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
2760 static int nf_tables_dump_rules(struct sk_buff *skb,
2761 struct netlink_callback *cb)
2763 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
2764 const struct nft_rule_dump_ctx *ctx = cb->data;
2765 struct nft_table *table;
2766 const struct nft_chain *chain;
2767 unsigned int idx = 0;
2768 struct net *net = sock_net(skb->sk);
2769 int family = nfmsg->nfgen_family;
2772 cb->seq = net->nft.base_seq;
2774 list_for_each_entry_rcu(table, &net->nft.tables, list) {
2775 if (family != NFPROTO_UNSPEC && family != table->family)
2778 if (ctx && ctx->table && strcmp(ctx->table, table->name) != 0)
2781 if (ctx && ctx->table && ctx->chain) {
2782 struct rhlist_head *list, *tmp;
2784 list = rhltable_lookup(&table->chains_ht, ctx->chain,
2785 nft_chain_ht_params);
2789 rhl_for_each_entry_rcu(chain, tmp, list, rhlhead) {
2790 if (!nft_is_active(net, chain))
2792 __nf_tables_dump_rules(skb, &idx,
2799 list_for_each_entry_rcu(chain, &table->chains, list) {
2800 if (__nf_tables_dump_rules(skb, &idx, cb, table, chain))
2804 if (ctx && ctx->table)
2814 static int nf_tables_dump_rules_start(struct netlink_callback *cb)
2816 const struct nlattr * const *nla = cb->data;
2817 struct nft_rule_dump_ctx *ctx = NULL;
2819 if (nla[NFTA_RULE_TABLE] || nla[NFTA_RULE_CHAIN]) {
2820 ctx = kzalloc(sizeof(*ctx), GFP_ATOMIC);
2824 if (nla[NFTA_RULE_TABLE]) {
2825 ctx->table = nla_strdup(nla[NFTA_RULE_TABLE],
2832 if (nla[NFTA_RULE_CHAIN]) {
2833 ctx->chain = nla_strdup(nla[NFTA_RULE_CHAIN],
2847 static int nf_tables_dump_rules_done(struct netlink_callback *cb)
2849 struct nft_rule_dump_ctx *ctx = cb->data;
2859 /* called with rcu_read_lock held */
2860 static int nf_tables_getrule(struct net *net, struct sock *nlsk,
2861 struct sk_buff *skb, const struct nlmsghdr *nlh,
2862 const struct nlattr * const nla[],
2863 struct netlink_ext_ack *extack)
2865 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2866 u8 genmask = nft_genmask_cur(net);
2867 const struct nft_chain *chain;
2868 const struct nft_rule *rule;
2869 struct nft_table *table;
2870 struct sk_buff *skb2;
2871 int family = nfmsg->nfgen_family;
2874 if (nlh->nlmsg_flags & NLM_F_DUMP) {
2875 struct netlink_dump_control c = {
2876 .start= nf_tables_dump_rules_start,
2877 .dump = nf_tables_dump_rules,
2878 .done = nf_tables_dump_rules_done,
2879 .module = THIS_MODULE,
2880 .data = (void *)nla,
2883 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
2886 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask);
2887 if (IS_ERR(table)) {
2888 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
2889 return PTR_ERR(table);
2892 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN], genmask);
2893 if (IS_ERR(chain)) {
2894 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
2895 return PTR_ERR(chain);
2898 rule = nft_rule_lookup(chain, nla[NFTA_RULE_HANDLE]);
2900 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
2901 return PTR_ERR(rule);
2904 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
2908 err = nf_tables_fill_rule_info(skb2, net, NETLINK_CB(skb).portid,
2909 nlh->nlmsg_seq, NFT_MSG_NEWRULE, 0,
2910 family, table, chain, rule, NULL);
2914 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
2921 static void nf_tables_rule_destroy(const struct nft_ctx *ctx,
2922 struct nft_rule *rule)
2924 struct nft_expr *expr, *next;
2927 * Careful: some expressions might not be initialized in case this
2928 * is called on error from nf_tables_newrule().
2930 expr = nft_expr_first(rule);
2931 while (expr != nft_expr_last(rule) && expr->ops) {
2932 next = nft_expr_next(expr);
2933 nf_tables_expr_destroy(ctx, expr);
2939 static void nf_tables_rule_release(const struct nft_ctx *ctx,
2940 struct nft_rule *rule)
2942 nft_rule_expr_deactivate(ctx, rule, NFT_TRANS_RELEASE);
2943 nf_tables_rule_destroy(ctx, rule);
2946 int nft_chain_validate(const struct nft_ctx *ctx, const struct nft_chain *chain)
2948 struct nft_expr *expr, *last;
2949 const struct nft_data *data;
2950 struct nft_rule *rule;
2953 if (ctx->level == NFT_JUMP_STACK_SIZE)
2956 list_for_each_entry(rule, &chain->rules, list) {
2957 if (!nft_is_active_next(ctx->net, rule))
2960 nft_rule_for_each_expr(expr, last, rule) {
2961 if (!expr->ops->validate)
2964 err = expr->ops->validate(ctx, expr, &data);
2972 EXPORT_SYMBOL_GPL(nft_chain_validate);
2974 static int nft_table_validate(struct net *net, const struct nft_table *table)
2976 struct nft_chain *chain;
2977 struct nft_ctx ctx = {
2979 .family = table->family,
2983 list_for_each_entry(chain, &table->chains, list) {
2984 if (!nft_is_base_chain(chain))
2988 err = nft_chain_validate(&ctx, chain);
2996 static struct nft_rule *nft_rule_lookup_byid(const struct net *net,
2997 const struct nlattr *nla);
2999 #define NFT_RULE_MAXEXPRS 128
3001 static int nf_tables_newrule(struct net *net, struct sock *nlsk,
3002 struct sk_buff *skb, const struct nlmsghdr *nlh,
3003 const struct nlattr * const nla[],
3004 struct netlink_ext_ack *extack)
3006 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3007 u8 genmask = nft_genmask_next(net);
3008 struct nft_expr_info *info = NULL;
3009 int family = nfmsg->nfgen_family;
3010 struct nft_flow_rule *flow;
3011 struct nft_table *table;
3012 struct nft_chain *chain;
3013 struct nft_rule *rule, *old_rule = NULL;
3014 struct nft_userdata *udata;
3015 struct nft_trans *trans = NULL;
3016 struct nft_expr *expr;
3019 unsigned int size, i, n, ulen = 0, usize = 0;
3021 u64 handle, pos_handle;
3023 lockdep_assert_held(&net->nft.commit_mutex);
3025 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask);
3026 if (IS_ERR(table)) {
3027 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
3028 return PTR_ERR(table);
3031 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN], genmask);
3032 if (IS_ERR(chain)) {
3033 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
3034 return PTR_ERR(chain);
3037 if (nla[NFTA_RULE_HANDLE]) {
3038 handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_HANDLE]));
3039 rule = __nft_rule_lookup(chain, handle);
3041 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
3042 return PTR_ERR(rule);
3045 if (nlh->nlmsg_flags & NLM_F_EXCL) {
3046 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
3049 if (nlh->nlmsg_flags & NLM_F_REPLACE)
3054 if (!(nlh->nlmsg_flags & NLM_F_CREATE) ||
3055 nlh->nlmsg_flags & NLM_F_REPLACE)
3057 handle = nf_tables_alloc_handle(table);
3059 if (chain->use == UINT_MAX)
3062 if (nla[NFTA_RULE_POSITION]) {
3063 pos_handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_POSITION]));
3064 old_rule = __nft_rule_lookup(chain, pos_handle);
3065 if (IS_ERR(old_rule)) {
3066 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_POSITION]);
3067 return PTR_ERR(old_rule);
3069 } else if (nla[NFTA_RULE_POSITION_ID]) {
3070 old_rule = nft_rule_lookup_byid(net, nla[NFTA_RULE_POSITION_ID]);
3071 if (IS_ERR(old_rule)) {
3072 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_POSITION_ID]);
3073 return PTR_ERR(old_rule);
3078 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
3082 if (nla[NFTA_RULE_EXPRESSIONS]) {
3083 info = kvmalloc_array(NFT_RULE_MAXEXPRS,
3084 sizeof(struct nft_expr_info),
3089 nla_for_each_nested(tmp, nla[NFTA_RULE_EXPRESSIONS], rem) {
3091 if (nla_type(tmp) != NFTA_LIST_ELEM)
3093 if (n == NFT_RULE_MAXEXPRS)
3095 err = nf_tables_expr_parse(&ctx, tmp, &info[n]);
3098 size += info[n].ops->size;
3102 /* Check for overflow of dlen field */
3104 if (size >= 1 << 12)
3107 if (nla[NFTA_RULE_USERDATA]) {
3108 ulen = nla_len(nla[NFTA_RULE_USERDATA]);
3110 usize = sizeof(struct nft_userdata) + ulen;
3114 rule = kzalloc(sizeof(*rule) + size + usize, GFP_KERNEL);
3118 nft_activate_next(net, rule);
3120 rule->handle = handle;
3122 rule->udata = ulen ? 1 : 0;
3125 udata = nft_userdata(rule);
3126 udata->len = ulen - 1;
3127 nla_memcpy(udata->data, nla[NFTA_RULE_USERDATA], ulen);
3130 expr = nft_expr_first(rule);
3131 for (i = 0; i < n; i++) {
3132 err = nf_tables_newexpr(&ctx, &info[i], expr);
3136 if (info[i].ops->validate)
3137 nft_validate_state_update(net, NFT_VALIDATE_NEED);
3140 expr = nft_expr_next(expr);
3143 if (nlh->nlmsg_flags & NLM_F_REPLACE) {
3144 trans = nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule);
3145 if (trans == NULL) {
3149 err = nft_delrule(&ctx, old_rule);
3151 nft_trans_destroy(trans);
3155 list_add_tail_rcu(&rule->list, &old_rule->list);
3157 trans = nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule);
3163 if (nlh->nlmsg_flags & NLM_F_APPEND) {
3165 list_add_rcu(&rule->list, &old_rule->list);
3167 list_add_tail_rcu(&rule->list, &chain->rules);
3170 list_add_tail_rcu(&rule->list, &old_rule->list);
3172 list_add_rcu(&rule->list, &chain->rules);
3178 if (net->nft.validate_state == NFT_VALIDATE_DO)
3179 return nft_table_validate(net, table);
3181 if (chain->flags & NFT_CHAIN_HW_OFFLOAD) {
3182 flow = nft_flow_rule_create(net, rule);
3184 return PTR_ERR(flow);
3186 nft_trans_flow_rule(trans) = flow;
3191 nf_tables_rule_release(&ctx, rule);
3193 for (i = 0; i < n; i++) {
3195 module_put(info[i].ops->type->owner);
3196 if (info[i].ops->type->release_ops)
3197 info[i].ops->type->release_ops(info[i].ops);
3204 static struct nft_rule *nft_rule_lookup_byid(const struct net *net,
3205 const struct nlattr *nla)
3207 u32 id = ntohl(nla_get_be32(nla));
3208 struct nft_trans *trans;
3210 list_for_each_entry(trans, &net->nft.commit_list, list) {
3211 struct nft_rule *rule = nft_trans_rule(trans);
3213 if (trans->msg_type == NFT_MSG_NEWRULE &&
3214 id == nft_trans_rule_id(trans))
3217 return ERR_PTR(-ENOENT);
3220 static int nf_tables_delrule(struct net *net, struct sock *nlsk,
3221 struct sk_buff *skb, const struct nlmsghdr *nlh,
3222 const struct nlattr * const nla[],
3223 struct netlink_ext_ack *extack)
3225 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3226 u8 genmask = nft_genmask_next(net);
3227 struct nft_table *table;
3228 struct nft_chain *chain = NULL;
3229 struct nft_rule *rule;
3230 int family = nfmsg->nfgen_family, err = 0;
3233 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask);
3234 if (IS_ERR(table)) {
3235 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
3236 return PTR_ERR(table);
3239 if (nla[NFTA_RULE_CHAIN]) {
3240 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN],
3242 if (IS_ERR(chain)) {
3243 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
3244 return PTR_ERR(chain);
3248 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
3251 if (nla[NFTA_RULE_HANDLE]) {
3252 rule = nft_rule_lookup(chain, nla[NFTA_RULE_HANDLE]);
3254 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
3255 return PTR_ERR(rule);
3258 err = nft_delrule(&ctx, rule);
3259 } else if (nla[NFTA_RULE_ID]) {
3260 rule = nft_rule_lookup_byid(net, nla[NFTA_RULE_ID]);
3262 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_ID]);
3263 return PTR_ERR(rule);
3266 err = nft_delrule(&ctx, rule);
3268 err = nft_delrule_by_chain(&ctx);
3271 list_for_each_entry(chain, &table->chains, list) {
3272 if (!nft_is_active_next(net, chain))
3276 err = nft_delrule_by_chain(&ctx);
3288 static const struct nft_set_type *nft_set_types[] = {
3289 &nft_set_hash_fast_type,
3291 &nft_set_rhash_type,
3292 &nft_set_bitmap_type,
3293 &nft_set_rbtree_type,
3294 #if defined(CONFIG_X86_64) && !defined(CONFIG_UML)
3295 &nft_set_pipapo_avx2_type,
3297 &nft_set_pipapo_type,
3300 #define NFT_SET_FEATURES (NFT_SET_INTERVAL | NFT_SET_MAP | \
3301 NFT_SET_TIMEOUT | NFT_SET_OBJECT | \
3304 static bool nft_set_ops_candidate(const struct nft_set_type *type, u32 flags)
3306 return (flags & type->features) == (flags & NFT_SET_FEATURES);
3310 * Select a set implementation based on the data characteristics and the
3311 * given policy. The total memory use might not be known if no size is
3312 * given, in that case the amount of memory per element is used.
3314 static const struct nft_set_ops *
3315 nft_select_set_ops(const struct nft_ctx *ctx,
3316 const struct nlattr * const nla[],
3317 const struct nft_set_desc *desc,
3318 enum nft_set_policies policy)
3320 const struct nft_set_ops *ops, *bops;
3321 struct nft_set_estimate est, best;
3322 const struct nft_set_type *type;
3326 lockdep_assert_held(&ctx->net->nft.commit_mutex);
3327 lockdep_nfnl_nft_mutex_not_held();
3329 if (nla[NFTA_SET_FLAGS] != NULL)
3330 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
3337 for (i = 0; i < ARRAY_SIZE(nft_set_types); i++) {
3338 type = nft_set_types[i];
3341 if (!nft_set_ops_candidate(type, flags))
3343 if (!ops->estimate(desc, flags, &est))
3347 case NFT_SET_POL_PERFORMANCE:
3348 if (est.lookup < best.lookup)
3350 if (est.lookup == best.lookup &&
3351 est.space < best.space)
3354 case NFT_SET_POL_MEMORY:
3356 if (est.space < best.space)
3358 if (est.space == best.space &&
3359 est.lookup < best.lookup)
3361 } else if (est.size < best.size || !bops) {
3376 return ERR_PTR(-EOPNOTSUPP);
3379 static const struct nla_policy nft_set_policy[NFTA_SET_MAX + 1] = {
3380 [NFTA_SET_TABLE] = { .type = NLA_STRING,
3381 .len = NFT_TABLE_MAXNAMELEN - 1 },
3382 [NFTA_SET_NAME] = { .type = NLA_STRING,
3383 .len = NFT_SET_MAXNAMELEN - 1 },
3384 [NFTA_SET_FLAGS] = { .type = NLA_U32 },
3385 [NFTA_SET_KEY_TYPE] = { .type = NLA_U32 },
3386 [NFTA_SET_KEY_LEN] = { .type = NLA_U32 },
3387 [NFTA_SET_DATA_TYPE] = { .type = NLA_U32 },
3388 [NFTA_SET_DATA_LEN] = { .type = NLA_U32 },
3389 [NFTA_SET_POLICY] = { .type = NLA_U32 },
3390 [NFTA_SET_DESC] = { .type = NLA_NESTED },
3391 [NFTA_SET_ID] = { .type = NLA_U32 },
3392 [NFTA_SET_TIMEOUT] = { .type = NLA_U64 },
3393 [NFTA_SET_GC_INTERVAL] = { .type = NLA_U32 },
3394 [NFTA_SET_USERDATA] = { .type = NLA_BINARY,
3395 .len = NFT_USERDATA_MAXLEN },
3396 [NFTA_SET_OBJ_TYPE] = { .type = NLA_U32 },
3397 [NFTA_SET_HANDLE] = { .type = NLA_U64 },
3398 [NFTA_SET_EXPR] = { .type = NLA_NESTED },
3401 static const struct nla_policy nft_set_desc_policy[NFTA_SET_DESC_MAX + 1] = {
3402 [NFTA_SET_DESC_SIZE] = { .type = NLA_U32 },
3403 [NFTA_SET_DESC_CONCAT] = { .type = NLA_NESTED },
3406 static int nft_ctx_init_from_setattr(struct nft_ctx *ctx, struct net *net,
3407 const struct sk_buff *skb,
3408 const struct nlmsghdr *nlh,
3409 const struct nlattr * const nla[],
3410 struct netlink_ext_ack *extack,
3413 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3414 int family = nfmsg->nfgen_family;
3415 struct nft_table *table = NULL;
3417 if (nla[NFTA_SET_TABLE] != NULL) {
3418 table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family,
3420 if (IS_ERR(table)) {
3421 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]);
3422 return PTR_ERR(table);
3426 nft_ctx_init(ctx, net, skb, nlh, family, table, NULL, nla);
3430 static struct nft_set *nft_set_lookup(const struct nft_table *table,
3431 const struct nlattr *nla, u8 genmask)
3433 struct nft_set *set;
3436 return ERR_PTR(-EINVAL);
3438 list_for_each_entry_rcu(set, &table->sets, list) {
3439 if (!nla_strcmp(nla, set->name) &&
3440 nft_active_genmask(set, genmask))
3443 return ERR_PTR(-ENOENT);
3446 static struct nft_set *nft_set_lookup_byhandle(const struct nft_table *table,
3447 const struct nlattr *nla,
3450 struct nft_set *set;
3452 list_for_each_entry(set, &table->sets, list) {
3453 if (be64_to_cpu(nla_get_be64(nla)) == set->handle &&
3454 nft_active_genmask(set, genmask))
3457 return ERR_PTR(-ENOENT);
3460 static struct nft_set *nft_set_lookup_byid(const struct net *net,
3461 const struct nlattr *nla, u8 genmask)
3463 struct nft_trans *trans;
3464 u32 id = ntohl(nla_get_be32(nla));
3466 list_for_each_entry(trans, &net->nft.commit_list, list) {
3467 if (trans->msg_type == NFT_MSG_NEWSET) {
3468 struct nft_set *set = nft_trans_set(trans);
3470 if (id == nft_trans_set_id(trans) &&
3471 nft_active_genmask(set, genmask))
3475 return ERR_PTR(-ENOENT);
3478 struct nft_set *nft_set_lookup_global(const struct net *net,
3479 const struct nft_table *table,
3480 const struct nlattr *nla_set_name,
3481 const struct nlattr *nla_set_id,
3484 struct nft_set *set;
3486 set = nft_set_lookup(table, nla_set_name, genmask);
3491 set = nft_set_lookup_byid(net, nla_set_id, genmask);
3495 EXPORT_SYMBOL_GPL(nft_set_lookup_global);
3497 static int nf_tables_set_alloc_name(struct nft_ctx *ctx, struct nft_set *set,
3500 const struct nft_set *i;
3502 unsigned long *inuse;
3503 unsigned int n = 0, min = 0;
3505 p = strchr(name, '%');
3507 if (p[1] != 'd' || strchr(p + 2, '%'))
3510 inuse = (unsigned long *)get_zeroed_page(GFP_KERNEL);
3514 list_for_each_entry(i, &ctx->table->sets, list) {
3517 if (!nft_is_active_next(ctx->net, set))
3519 if (!sscanf(i->name, name, &tmp))
3521 if (tmp < min || tmp >= min + BITS_PER_BYTE * PAGE_SIZE)
3524 set_bit(tmp - min, inuse);
3527 n = find_first_zero_bit(inuse, BITS_PER_BYTE * PAGE_SIZE);
3528 if (n >= BITS_PER_BYTE * PAGE_SIZE) {
3529 min += BITS_PER_BYTE * PAGE_SIZE;
3530 memset(inuse, 0, PAGE_SIZE);
3533 free_page((unsigned long)inuse);
3536 set->name = kasprintf(GFP_KERNEL, name, min + n);
3540 list_for_each_entry(i, &ctx->table->sets, list) {
3541 if (!nft_is_active_next(ctx->net, i))
3543 if (!strcmp(set->name, i->name)) {
3552 static int nf_msecs_to_jiffies64(const struct nlattr *nla, u64 *result)
3554 u64 ms = be64_to_cpu(nla_get_be64(nla));
3555 u64 max = (u64)(~((u64)0));
3557 max = div_u64(max, NSEC_PER_MSEC);
3561 ms *= NSEC_PER_MSEC;
3562 *result = nsecs_to_jiffies64(ms);
3566 static __be64 nf_jiffies64_to_msecs(u64 input)
3568 return cpu_to_be64(jiffies64_to_msecs(input));
3571 static int nf_tables_fill_set_concat(struct sk_buff *skb,
3572 const struct nft_set *set)
3574 struct nlattr *concat, *field;
3577 concat = nla_nest_start_noflag(skb, NFTA_SET_DESC_CONCAT);
3581 for (i = 0; i < set->field_count; i++) {
3582 field = nla_nest_start_noflag(skb, NFTA_LIST_ELEM);
3586 if (nla_put_be32(skb, NFTA_SET_FIELD_LEN,
3587 htonl(set->field_len[i])))
3590 nla_nest_end(skb, field);
3593 nla_nest_end(skb, concat);
3598 static int nf_tables_fill_set(struct sk_buff *skb, const struct nft_ctx *ctx,
3599 const struct nft_set *set, u16 event, u16 flags)
3601 struct nfgenmsg *nfmsg;
3602 struct nlmsghdr *nlh;
3603 u32 portid = ctx->portid;
3604 struct nlattr *nest;
3607 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
3608 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
3611 goto nla_put_failure;
3613 nfmsg = nlmsg_data(nlh);
3614 nfmsg->nfgen_family = ctx->family;
3615 nfmsg->version = NFNETLINK_V0;
3616 nfmsg->res_id = htons(ctx->net->nft.base_seq & 0xffff);
3618 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
3619 goto nla_put_failure;
3620 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
3621 goto nla_put_failure;
3622 if (nla_put_be64(skb, NFTA_SET_HANDLE, cpu_to_be64(set->handle),
3624 goto nla_put_failure;
3625 if (set->flags != 0)
3626 if (nla_put_be32(skb, NFTA_SET_FLAGS, htonl(set->flags)))
3627 goto nla_put_failure;
3629 if (nla_put_be32(skb, NFTA_SET_KEY_TYPE, htonl(set->ktype)))
3630 goto nla_put_failure;
3631 if (nla_put_be32(skb, NFTA_SET_KEY_LEN, htonl(set->klen)))
3632 goto nla_put_failure;
3633 if (set->flags & NFT_SET_MAP) {
3634 if (nla_put_be32(skb, NFTA_SET_DATA_TYPE, htonl(set->dtype)))
3635 goto nla_put_failure;
3636 if (nla_put_be32(skb, NFTA_SET_DATA_LEN, htonl(set->dlen)))
3637 goto nla_put_failure;
3639 if (set->flags & NFT_SET_OBJECT &&
3640 nla_put_be32(skb, NFTA_SET_OBJ_TYPE, htonl(set->objtype)))
3641 goto nla_put_failure;
3644 nla_put_be64(skb, NFTA_SET_TIMEOUT,
3645 nf_jiffies64_to_msecs(set->timeout),
3647 goto nla_put_failure;
3649 nla_put_be32(skb, NFTA_SET_GC_INTERVAL, htonl(set->gc_int)))
3650 goto nla_put_failure;
3652 if (set->policy != NFT_SET_POL_PERFORMANCE) {
3653 if (nla_put_be32(skb, NFTA_SET_POLICY, htonl(set->policy)))
3654 goto nla_put_failure;
3657 if (nla_put(skb, NFTA_SET_USERDATA, set->udlen, set->udata))
3658 goto nla_put_failure;
3660 nest = nla_nest_start_noflag(skb, NFTA_SET_DESC);
3662 goto nla_put_failure;
3664 nla_put_be32(skb, NFTA_SET_DESC_SIZE, htonl(set->size)))
3665 goto nla_put_failure;
3667 if (set->field_count > 1 &&
3668 nf_tables_fill_set_concat(skb, set))
3669 goto nla_put_failure;
3671 nla_nest_end(skb, nest);
3674 nest = nla_nest_start_noflag(skb, NFTA_SET_EXPR);
3675 if (nf_tables_fill_expr_info(skb, set->expr) < 0)
3676 goto nla_put_failure;
3678 nla_nest_end(skb, nest);
3681 nlmsg_end(skb, nlh);
3685 nlmsg_trim(skb, nlh);
3689 static void nf_tables_set_notify(const struct nft_ctx *ctx,
3690 const struct nft_set *set, int event,
3693 struct sk_buff *skb;
3694 u32 portid = ctx->portid;
3698 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
3701 skb = nlmsg_new(NLMSG_GOODSIZE, gfp_flags);
3705 err = nf_tables_fill_set(skb, ctx, set, event, 0);
3711 nfnetlink_send(skb, ctx->net, portid, NFNLGRP_NFTABLES, ctx->report,
3715 nfnetlink_set_err(ctx->net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
3718 static int nf_tables_dump_sets(struct sk_buff *skb, struct netlink_callback *cb)
3720 const struct nft_set *set;
3721 unsigned int idx, s_idx = cb->args[0];
3722 struct nft_table *table, *cur_table = (struct nft_table *)cb->args[2];
3723 struct net *net = sock_net(skb->sk);
3724 struct nft_ctx *ctx = cb->data, ctx_set;
3730 cb->seq = net->nft.base_seq;
3732 list_for_each_entry_rcu(table, &net->nft.tables, list) {
3733 if (ctx->family != NFPROTO_UNSPEC &&
3734 ctx->family != table->family)
3737 if (ctx->table && ctx->table != table)
3741 if (cur_table != table)
3747 list_for_each_entry_rcu(set, &table->sets, list) {
3750 if (!nft_is_active(net, set))
3754 ctx_set.table = table;
3755 ctx_set.family = table->family;
3757 if (nf_tables_fill_set(skb, &ctx_set, set,
3761 cb->args[2] = (unsigned long) table;
3764 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
3777 static int nf_tables_dump_sets_start(struct netlink_callback *cb)
3779 struct nft_ctx *ctx_dump = NULL;
3781 ctx_dump = kmemdup(cb->data, sizeof(*ctx_dump), GFP_ATOMIC);
3782 if (ctx_dump == NULL)
3785 cb->data = ctx_dump;
3789 static int nf_tables_dump_sets_done(struct netlink_callback *cb)
3795 /* called with rcu_read_lock held */
3796 static int nf_tables_getset(struct net *net, struct sock *nlsk,
3797 struct sk_buff *skb, const struct nlmsghdr *nlh,
3798 const struct nlattr * const nla[],
3799 struct netlink_ext_ack *extack)
3801 u8 genmask = nft_genmask_cur(net);
3802 const struct nft_set *set;
3804 struct sk_buff *skb2;
3805 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3808 /* Verify existence before starting dump */
3809 err = nft_ctx_init_from_setattr(&ctx, net, skb, nlh, nla, extack,
3814 if (nlh->nlmsg_flags & NLM_F_DUMP) {
3815 struct netlink_dump_control c = {
3816 .start = nf_tables_dump_sets_start,
3817 .dump = nf_tables_dump_sets,
3818 .done = nf_tables_dump_sets_done,
3820 .module = THIS_MODULE,
3823 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
3826 /* Only accept unspec with dump */
3827 if (nfmsg->nfgen_family == NFPROTO_UNSPEC)
3828 return -EAFNOSUPPORT;
3829 if (!nla[NFTA_SET_TABLE])
3832 set = nft_set_lookup(ctx.table, nla[NFTA_SET_NAME], genmask);
3834 return PTR_ERR(set);
3836 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
3840 err = nf_tables_fill_set(skb2, &ctx, set, NFT_MSG_NEWSET, 0);
3844 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
3851 static const struct nla_policy nft_concat_policy[NFTA_SET_FIELD_MAX + 1] = {
3852 [NFTA_SET_FIELD_LEN] = { .type = NLA_U32 },
3855 static int nft_set_desc_concat_parse(const struct nlattr *attr,
3856 struct nft_set_desc *desc)
3858 struct nlattr *tb[NFTA_SET_FIELD_MAX + 1];
3862 err = nla_parse_nested_deprecated(tb, NFTA_SET_FIELD_MAX, attr,
3863 nft_concat_policy, NULL);
3867 if (!tb[NFTA_SET_FIELD_LEN])
3870 len = ntohl(nla_get_be32(tb[NFTA_SET_FIELD_LEN]));
3872 if (len * BITS_PER_BYTE / 32 > NFT_REG32_COUNT)
3875 desc->field_len[desc->field_count++] = len;
3880 static int nft_set_desc_concat(struct nft_set_desc *desc,
3881 const struct nlattr *nla)
3883 struct nlattr *attr;
3886 nla_for_each_nested(attr, nla, rem) {
3887 if (nla_type(attr) != NFTA_LIST_ELEM)
3890 err = nft_set_desc_concat_parse(attr, desc);
3898 static int nf_tables_set_desc_parse(struct nft_set_desc *desc,
3899 const struct nlattr *nla)
3901 struct nlattr *da[NFTA_SET_DESC_MAX + 1];
3904 err = nla_parse_nested_deprecated(da, NFTA_SET_DESC_MAX, nla,
3905 nft_set_desc_policy, NULL);
3909 if (da[NFTA_SET_DESC_SIZE] != NULL)
3910 desc->size = ntohl(nla_get_be32(da[NFTA_SET_DESC_SIZE]));
3911 if (da[NFTA_SET_DESC_CONCAT])
3912 err = nft_set_desc_concat(desc, da[NFTA_SET_DESC_CONCAT]);
3917 static int nf_tables_newset(struct net *net, struct sock *nlsk,
3918 struct sk_buff *skb, const struct nlmsghdr *nlh,
3919 const struct nlattr * const nla[],
3920 struct netlink_ext_ack *extack)
3922 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3923 u8 genmask = nft_genmask_next(net);
3924 int family = nfmsg->nfgen_family;
3925 const struct nft_set_ops *ops;
3926 struct nft_expr *expr = NULL;
3927 struct nft_table *table;
3928 struct nft_set *set;
3933 u32 ktype, dtype, flags, policy, gc_int, objtype;
3934 struct nft_set_desc desc;
3935 unsigned char *udata;
3940 if (nla[NFTA_SET_TABLE] == NULL ||
3941 nla[NFTA_SET_NAME] == NULL ||
3942 nla[NFTA_SET_KEY_LEN] == NULL ||
3943 nla[NFTA_SET_ID] == NULL)
3946 memset(&desc, 0, sizeof(desc));
3948 ktype = NFT_DATA_VALUE;
3949 if (nla[NFTA_SET_KEY_TYPE] != NULL) {
3950 ktype = ntohl(nla_get_be32(nla[NFTA_SET_KEY_TYPE]));
3951 if ((ktype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK)
3955 desc.klen = ntohl(nla_get_be32(nla[NFTA_SET_KEY_LEN]));
3956 if (desc.klen == 0 || desc.klen > NFT_DATA_VALUE_MAXLEN)
3960 if (nla[NFTA_SET_FLAGS] != NULL) {
3961 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
3962 if (flags & ~(NFT_SET_ANONYMOUS | NFT_SET_CONSTANT |
3963 NFT_SET_INTERVAL | NFT_SET_TIMEOUT |
3964 NFT_SET_MAP | NFT_SET_EVAL |
3965 NFT_SET_OBJECT | NFT_SET_CONCAT))
3967 /* Only one of these operations is supported */
3968 if ((flags & (NFT_SET_MAP | NFT_SET_OBJECT)) ==
3969 (NFT_SET_MAP | NFT_SET_OBJECT))
3971 if ((flags & (NFT_SET_EVAL | NFT_SET_OBJECT)) ==
3972 (NFT_SET_EVAL | NFT_SET_OBJECT))
3977 if (nla[NFTA_SET_DATA_TYPE] != NULL) {
3978 if (!(flags & NFT_SET_MAP))
3981 dtype = ntohl(nla_get_be32(nla[NFTA_SET_DATA_TYPE]));
3982 if ((dtype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK &&
3983 dtype != NFT_DATA_VERDICT)
3986 if (dtype != NFT_DATA_VERDICT) {
3987 if (nla[NFTA_SET_DATA_LEN] == NULL)
3989 desc.dlen = ntohl(nla_get_be32(nla[NFTA_SET_DATA_LEN]));
3990 if (desc.dlen == 0 || desc.dlen > NFT_DATA_VALUE_MAXLEN)
3993 desc.dlen = sizeof(struct nft_verdict);
3994 } else if (flags & NFT_SET_MAP)
3997 if (nla[NFTA_SET_OBJ_TYPE] != NULL) {
3998 if (!(flags & NFT_SET_OBJECT))
4001 objtype = ntohl(nla_get_be32(nla[NFTA_SET_OBJ_TYPE]));
4002 if (objtype == NFT_OBJECT_UNSPEC ||
4003 objtype > NFT_OBJECT_MAX)
4005 } else if (flags & NFT_SET_OBJECT)
4008 objtype = NFT_OBJECT_UNSPEC;
4011 if (nla[NFTA_SET_TIMEOUT] != NULL) {
4012 if (!(flags & NFT_SET_TIMEOUT))
4015 err = nf_msecs_to_jiffies64(nla[NFTA_SET_TIMEOUT], &timeout);
4020 if (nla[NFTA_SET_GC_INTERVAL] != NULL) {
4021 if (!(flags & NFT_SET_TIMEOUT))
4023 gc_int = ntohl(nla_get_be32(nla[NFTA_SET_GC_INTERVAL]));
4026 policy = NFT_SET_POL_PERFORMANCE;
4027 if (nla[NFTA_SET_POLICY] != NULL)
4028 policy = ntohl(nla_get_be32(nla[NFTA_SET_POLICY]));
4030 if (nla[NFTA_SET_DESC] != NULL) {
4031 err = nf_tables_set_desc_parse(&desc, nla[NFTA_SET_DESC]);
4036 if (nla[NFTA_SET_EXPR])
4039 table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family, genmask);
4040 if (IS_ERR(table)) {
4041 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]);
4042 return PTR_ERR(table);
4045 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
4047 set = nft_set_lookup(table, nla[NFTA_SET_NAME], genmask);
4049 if (PTR_ERR(set) != -ENOENT) {
4050 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]);
4051 return PTR_ERR(set);
4054 if (nlh->nlmsg_flags & NLM_F_EXCL) {
4055 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]);
4058 if (nlh->nlmsg_flags & NLM_F_REPLACE)
4064 if (!(nlh->nlmsg_flags & NLM_F_CREATE))
4067 ops = nft_select_set_ops(&ctx, nla, &desc, policy);
4069 return PTR_ERR(ops);
4072 if (nla[NFTA_SET_USERDATA])
4073 udlen = nla_len(nla[NFTA_SET_USERDATA]);
4076 if (ops->privsize != NULL)
4077 size = ops->privsize(nla, &desc);
4079 set = kvzalloc(sizeof(*set) + size + udlen, GFP_KERNEL);
4083 name = nla_strdup(nla[NFTA_SET_NAME], GFP_KERNEL);
4089 err = nf_tables_set_alloc_name(&ctx, set, name);
4092 goto err_set_alloc_name;
4094 if (nla[NFTA_SET_EXPR]) {
4095 expr = nft_set_elem_expr_alloc(&ctx, set, nla[NFTA_SET_EXPR]);
4097 err = PTR_ERR(expr);
4098 goto err_set_alloc_name;
4104 udata = set->data + size;
4105 nla_memcpy(udata, nla[NFTA_SET_USERDATA], udlen);
4108 INIT_LIST_HEAD(&set->bindings);
4110 write_pnet(&set->net, net);
4113 set->klen = desc.klen;
4115 set->objtype = objtype;
4116 set->dlen = desc.dlen;
4119 set->size = desc.size;
4120 set->policy = policy;
4123 set->timeout = timeout;
4124 set->gc_int = gc_int;
4125 set->handle = nf_tables_alloc_handle(table);
4127 set->field_count = desc.field_count;
4128 for (i = 0; i < desc.field_count; i++)
4129 set->field_len[i] = desc.field_len[i];
4131 err = ops->init(set, &desc, nla);
4135 err = nft_trans_set_add(&ctx, NFT_MSG_NEWSET, set);
4139 list_add_tail_rcu(&set->list, &table->sets);
4147 nft_expr_destroy(&ctx, expr);
4155 static void nft_set_destroy(const struct nft_ctx *ctx, struct nft_set *set)
4157 if (WARN_ON(set->use > 0))
4161 nft_expr_destroy(ctx, set->expr);
4163 set->ops->destroy(set);
4168 static int nf_tables_delset(struct net *net, struct sock *nlsk,
4169 struct sk_buff *skb, const struct nlmsghdr *nlh,
4170 const struct nlattr * const nla[],
4171 struct netlink_ext_ack *extack)
4173 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
4174 u8 genmask = nft_genmask_next(net);
4175 const struct nlattr *attr;
4176 struct nft_set *set;
4180 if (nfmsg->nfgen_family == NFPROTO_UNSPEC)
4181 return -EAFNOSUPPORT;
4182 if (nla[NFTA_SET_TABLE] == NULL)
4185 err = nft_ctx_init_from_setattr(&ctx, net, skb, nlh, nla, extack,
4190 if (nla[NFTA_SET_HANDLE]) {
4191 attr = nla[NFTA_SET_HANDLE];
4192 set = nft_set_lookup_byhandle(ctx.table, attr, genmask);
4194 attr = nla[NFTA_SET_NAME];
4195 set = nft_set_lookup(ctx.table, attr, genmask);
4199 NL_SET_BAD_ATTR(extack, attr);
4200 return PTR_ERR(set);
4203 (nlh->nlmsg_flags & NLM_F_NONREC && atomic_read(&set->nelems) > 0)) {
4204 NL_SET_BAD_ATTR(extack, attr);
4208 return nft_delset(&ctx, set);
4211 static int nf_tables_bind_check_setelem(const struct nft_ctx *ctx,
4212 struct nft_set *set,
4213 const struct nft_set_iter *iter,
4214 struct nft_set_elem *elem)
4216 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
4217 enum nft_registers dreg;
4219 dreg = nft_type_to_reg(set->dtype);
4220 return nft_validate_register_store(ctx, dreg, nft_set_ext_data(ext),
4221 set->dtype == NFT_DATA_VERDICT ?
4222 NFT_DATA_VERDICT : NFT_DATA_VALUE,
4226 int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set,
4227 struct nft_set_binding *binding)
4229 struct nft_set_binding *i;
4230 struct nft_set_iter iter;
4232 if (set->use == UINT_MAX)
4235 if (!list_empty(&set->bindings) && nft_set_is_anonymous(set))
4238 if (binding->flags & NFT_SET_MAP) {
4239 /* If the set is already bound to the same chain all
4240 * jumps are already validated for that chain.
4242 list_for_each_entry(i, &set->bindings, list) {
4243 if (i->flags & NFT_SET_MAP &&
4244 i->chain == binding->chain)
4248 iter.genmask = nft_genmask_next(ctx->net);
4252 iter.fn = nf_tables_bind_check_setelem;
4254 set->ops->walk(ctx, set, &iter);
4259 binding->chain = ctx->chain;
4260 list_add_tail_rcu(&binding->list, &set->bindings);
4261 nft_set_trans_bind(ctx, set);
4266 EXPORT_SYMBOL_GPL(nf_tables_bind_set);
4268 static void nf_tables_unbind_set(const struct nft_ctx *ctx, struct nft_set *set,
4269 struct nft_set_binding *binding, bool event)
4271 list_del_rcu(&binding->list);
4273 if (list_empty(&set->bindings) && nft_set_is_anonymous(set)) {
4274 list_del_rcu(&set->list);
4276 nf_tables_set_notify(ctx, set, NFT_MSG_DELSET,
4281 void nf_tables_deactivate_set(const struct nft_ctx *ctx, struct nft_set *set,
4282 struct nft_set_binding *binding,
4283 enum nft_trans_phase phase)
4286 case NFT_TRANS_PREPARE:
4289 case NFT_TRANS_ABORT:
4290 case NFT_TRANS_RELEASE:
4294 nf_tables_unbind_set(ctx, set, binding,
4295 phase == NFT_TRANS_COMMIT);
4298 EXPORT_SYMBOL_GPL(nf_tables_deactivate_set);
4300 void nf_tables_destroy_set(const struct nft_ctx *ctx, struct nft_set *set)
4302 if (list_empty(&set->bindings) && nft_set_is_anonymous(set))
4303 nft_set_destroy(ctx, set);
4305 EXPORT_SYMBOL_GPL(nf_tables_destroy_set);
4307 const struct nft_set_ext_type nft_set_ext_types[] = {
4308 [NFT_SET_EXT_KEY] = {
4309 .align = __alignof__(u32),
4311 [NFT_SET_EXT_DATA] = {
4312 .align = __alignof__(u32),
4314 [NFT_SET_EXT_EXPR] = {
4315 .align = __alignof__(struct nft_expr),
4317 [NFT_SET_EXT_OBJREF] = {
4318 .len = sizeof(struct nft_object *),
4319 .align = __alignof__(struct nft_object *),
4321 [NFT_SET_EXT_FLAGS] = {
4323 .align = __alignof__(u8),
4325 [NFT_SET_EXT_TIMEOUT] = {
4327 .align = __alignof__(u64),
4329 [NFT_SET_EXT_EXPIRATION] = {
4331 .align = __alignof__(u64),
4333 [NFT_SET_EXT_USERDATA] = {
4334 .len = sizeof(struct nft_userdata),
4335 .align = __alignof__(struct nft_userdata),
4337 [NFT_SET_EXT_KEY_END] = {
4338 .align = __alignof__(u32),
4346 static const struct nla_policy nft_set_elem_policy[NFTA_SET_ELEM_MAX + 1] = {
4347 [NFTA_SET_ELEM_KEY] = { .type = NLA_NESTED },
4348 [NFTA_SET_ELEM_DATA] = { .type = NLA_NESTED },
4349 [NFTA_SET_ELEM_FLAGS] = { .type = NLA_U32 },
4350 [NFTA_SET_ELEM_TIMEOUT] = { .type = NLA_U64 },
4351 [NFTA_SET_ELEM_EXPIRATION] = { .type = NLA_U64 },
4352 [NFTA_SET_ELEM_USERDATA] = { .type = NLA_BINARY,
4353 .len = NFT_USERDATA_MAXLEN },
4354 [NFTA_SET_ELEM_EXPR] = { .type = NLA_NESTED },
4355 [NFTA_SET_ELEM_OBJREF] = { .type = NLA_STRING,
4356 .len = NFT_OBJ_MAXNAMELEN - 1 },
4357 [NFTA_SET_ELEM_KEY_END] = { .type = NLA_NESTED },
4360 static const struct nla_policy nft_set_elem_list_policy[NFTA_SET_ELEM_LIST_MAX + 1] = {
4361 [NFTA_SET_ELEM_LIST_TABLE] = { .type = NLA_STRING,
4362 .len = NFT_TABLE_MAXNAMELEN - 1 },
4363 [NFTA_SET_ELEM_LIST_SET] = { .type = NLA_STRING,
4364 .len = NFT_SET_MAXNAMELEN - 1 },
4365 [NFTA_SET_ELEM_LIST_ELEMENTS] = { .type = NLA_NESTED },
4366 [NFTA_SET_ELEM_LIST_SET_ID] = { .type = NLA_U32 },
4369 static int nft_ctx_init_from_elemattr(struct nft_ctx *ctx, struct net *net,
4370 const struct sk_buff *skb,
4371 const struct nlmsghdr *nlh,
4372 const struct nlattr * const nla[],
4373 struct netlink_ext_ack *extack,
4376 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
4377 int family = nfmsg->nfgen_family;
4378 struct nft_table *table;
4380 table = nft_table_lookup(net, nla[NFTA_SET_ELEM_LIST_TABLE], family,
4382 if (IS_ERR(table)) {
4383 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_TABLE]);
4384 return PTR_ERR(table);
4387 nft_ctx_init(ctx, net, skb, nlh, family, table, NULL, nla);
4391 static int nf_tables_fill_setelem(struct sk_buff *skb,
4392 const struct nft_set *set,
4393 const struct nft_set_elem *elem)
4395 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
4396 unsigned char *b = skb_tail_pointer(skb);
4397 struct nlattr *nest;
4399 nest = nla_nest_start_noflag(skb, NFTA_LIST_ELEM);
4401 goto nla_put_failure;
4403 if (nft_data_dump(skb, NFTA_SET_ELEM_KEY, nft_set_ext_key(ext),
4404 NFT_DATA_VALUE, set->klen) < 0)
4405 goto nla_put_failure;
4407 if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY_END) &&
4408 nft_data_dump(skb, NFTA_SET_ELEM_KEY_END, nft_set_ext_key_end(ext),
4409 NFT_DATA_VALUE, set->klen) < 0)
4410 goto nla_put_failure;
4412 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
4413 nft_data_dump(skb, NFTA_SET_ELEM_DATA, nft_set_ext_data(ext),
4414 set->dtype == NFT_DATA_VERDICT ? NFT_DATA_VERDICT : NFT_DATA_VALUE,
4416 goto nla_put_failure;
4418 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPR) &&
4419 nft_expr_dump(skb, NFTA_SET_ELEM_EXPR, nft_set_ext_expr(ext)) < 0)
4420 goto nla_put_failure;
4422 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) &&
4423 nla_put_string(skb, NFTA_SET_ELEM_OBJREF,
4424 (*nft_set_ext_obj(ext))->key.name) < 0)
4425 goto nla_put_failure;
4427 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
4428 nla_put_be32(skb, NFTA_SET_ELEM_FLAGS,
4429 htonl(*nft_set_ext_flags(ext))))
4430 goto nla_put_failure;
4432 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT) &&
4433 nla_put_be64(skb, NFTA_SET_ELEM_TIMEOUT,
4434 nf_jiffies64_to_msecs(*nft_set_ext_timeout(ext)),
4436 goto nla_put_failure;
4438 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION)) {
4439 u64 expires, now = get_jiffies_64();
4441 expires = *nft_set_ext_expiration(ext);
4442 if (time_before64(now, expires))
4447 if (nla_put_be64(skb, NFTA_SET_ELEM_EXPIRATION,
4448 nf_jiffies64_to_msecs(expires),
4450 goto nla_put_failure;
4453 if (nft_set_ext_exists(ext, NFT_SET_EXT_USERDATA)) {
4454 struct nft_userdata *udata;
4456 udata = nft_set_ext_userdata(ext);
4457 if (nla_put(skb, NFTA_SET_ELEM_USERDATA,
4458 udata->len + 1, udata->data))
4459 goto nla_put_failure;
4462 nla_nest_end(skb, nest);
4470 struct nft_set_dump_args {
4471 const struct netlink_callback *cb;
4472 struct nft_set_iter iter;
4473 struct sk_buff *skb;
4476 static int nf_tables_dump_setelem(const struct nft_ctx *ctx,
4477 struct nft_set *set,
4478 const struct nft_set_iter *iter,
4479 struct nft_set_elem *elem)
4481 struct nft_set_dump_args *args;
4483 args = container_of(iter, struct nft_set_dump_args, iter);
4484 return nf_tables_fill_setelem(args->skb, set, elem);
4487 struct nft_set_dump_ctx {
4488 const struct nft_set *set;
4492 static int nf_tables_dump_set(struct sk_buff *skb, struct netlink_callback *cb)
4494 struct nft_set_dump_ctx *dump_ctx = cb->data;
4495 struct net *net = sock_net(skb->sk);
4496 struct nft_table *table;
4497 struct nft_set *set;
4498 struct nft_set_dump_args args;
4499 bool set_found = false;
4500 struct nfgenmsg *nfmsg;
4501 struct nlmsghdr *nlh;
4502 struct nlattr *nest;
4507 list_for_each_entry_rcu(table, &net->nft.tables, list) {
4508 if (dump_ctx->ctx.family != NFPROTO_UNSPEC &&
4509 dump_ctx->ctx.family != table->family)
4512 if (table != dump_ctx->ctx.table)
4515 list_for_each_entry_rcu(set, &table->sets, list) {
4516 if (set == dump_ctx->set) {
4529 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWSETELEM);
4530 portid = NETLINK_CB(cb->skb).portid;
4531 seq = cb->nlh->nlmsg_seq;
4533 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
4536 goto nla_put_failure;
4538 nfmsg = nlmsg_data(nlh);
4539 nfmsg->nfgen_family = table->family;
4540 nfmsg->version = NFNETLINK_V0;
4541 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
4543 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_TABLE, table->name))
4544 goto nla_put_failure;
4545 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_SET, set->name))
4546 goto nla_put_failure;
4548 nest = nla_nest_start_noflag(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
4550 goto nla_put_failure;
4554 args.iter.genmask = nft_genmask_cur(net);
4555 args.iter.skip = cb->args[0];
4556 args.iter.count = 0;
4558 args.iter.fn = nf_tables_dump_setelem;
4559 set->ops->walk(&dump_ctx->ctx, set, &args.iter);
4562 nla_nest_end(skb, nest);
4563 nlmsg_end(skb, nlh);
4565 if (args.iter.err && args.iter.err != -EMSGSIZE)
4566 return args.iter.err;
4567 if (args.iter.count == cb->args[0])
4570 cb->args[0] = args.iter.count;
4578 static int nf_tables_dump_set_start(struct netlink_callback *cb)
4580 struct nft_set_dump_ctx *dump_ctx = cb->data;
4582 cb->data = kmemdup(dump_ctx, sizeof(*dump_ctx), GFP_ATOMIC);
4584 return cb->data ? 0 : -ENOMEM;
4587 static int nf_tables_dump_set_done(struct netlink_callback *cb)
4593 static int nf_tables_fill_setelem_info(struct sk_buff *skb,
4594 const struct nft_ctx *ctx, u32 seq,
4595 u32 portid, int event, u16 flags,
4596 const struct nft_set *set,
4597 const struct nft_set_elem *elem)
4599 struct nfgenmsg *nfmsg;
4600 struct nlmsghdr *nlh;
4601 struct nlattr *nest;
4604 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
4605 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
4608 goto nla_put_failure;
4610 nfmsg = nlmsg_data(nlh);
4611 nfmsg->nfgen_family = ctx->family;
4612 nfmsg->version = NFNETLINK_V0;
4613 nfmsg->res_id = htons(ctx->net->nft.base_seq & 0xffff);
4615 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
4616 goto nla_put_failure;
4617 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
4618 goto nla_put_failure;
4620 nest = nla_nest_start_noflag(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
4622 goto nla_put_failure;
4624 err = nf_tables_fill_setelem(skb, set, elem);
4626 goto nla_put_failure;
4628 nla_nest_end(skb, nest);
4630 nlmsg_end(skb, nlh);
4634 nlmsg_trim(skb, nlh);
4638 static int nft_setelem_parse_flags(const struct nft_set *set,
4639 const struct nlattr *attr, u32 *flags)
4644 *flags = ntohl(nla_get_be32(attr));
4645 if (*flags & ~NFT_SET_ELEM_INTERVAL_END)
4647 if (!(set->flags & NFT_SET_INTERVAL) &&
4648 *flags & NFT_SET_ELEM_INTERVAL_END)
4654 static int nft_setelem_parse_key(struct nft_ctx *ctx, struct nft_set *set,
4655 struct nft_data *key, struct nlattr *attr)
4657 struct nft_data_desc desc;
4660 err = nft_data_init(ctx, key, NFT_DATA_VALUE_MAXLEN, &desc, attr);
4664 if (desc.type != NFT_DATA_VALUE || desc.len != set->klen) {
4665 nft_data_release(key, desc.type);
4672 static int nft_get_set_elem(struct nft_ctx *ctx, struct nft_set *set,
4673 const struct nlattr *attr)
4675 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
4676 struct nft_set_elem elem;
4677 struct sk_buff *skb;
4682 err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr,
4683 nft_set_elem_policy, NULL);
4687 if (!nla[NFTA_SET_ELEM_KEY])
4690 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
4694 err = nft_setelem_parse_key(ctx, set, &elem.key.val,
4695 nla[NFTA_SET_ELEM_KEY]);
4699 if (nla[NFTA_SET_ELEM_KEY_END]) {
4700 err = nft_setelem_parse_key(ctx, set, &elem.key_end.val,
4701 nla[NFTA_SET_ELEM_KEY_END]);
4706 priv = set->ops->get(ctx->net, set, &elem, flags);
4708 return PTR_ERR(priv);
4713 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_ATOMIC);
4717 err = nf_tables_fill_setelem_info(skb, ctx, ctx->seq, ctx->portid,
4718 NFT_MSG_NEWSETELEM, 0, set, &elem);
4722 err = nfnetlink_unicast(skb, ctx->net, ctx->portid, MSG_DONTWAIT);
4723 /* This avoids a loop in nfnetlink. */
4731 /* this avoids a loop in nfnetlink. */
4732 return err == -EAGAIN ? -ENOBUFS : err;
4735 /* called with rcu_read_lock held */
4736 static int nf_tables_getsetelem(struct net *net, struct sock *nlsk,
4737 struct sk_buff *skb, const struct nlmsghdr *nlh,
4738 const struct nlattr * const nla[],
4739 struct netlink_ext_ack *extack)
4741 u8 genmask = nft_genmask_cur(net);
4742 struct nft_set *set;
4743 struct nlattr *attr;
4747 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, extack,
4752 set = nft_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET], genmask);
4754 return PTR_ERR(set);
4756 if (nlh->nlmsg_flags & NLM_F_DUMP) {
4757 struct netlink_dump_control c = {
4758 .start = nf_tables_dump_set_start,
4759 .dump = nf_tables_dump_set,
4760 .done = nf_tables_dump_set_done,
4761 .module = THIS_MODULE,
4763 struct nft_set_dump_ctx dump_ctx = {
4769 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
4772 if (!nla[NFTA_SET_ELEM_LIST_ELEMENTS])
4775 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
4776 err = nft_get_set_elem(&ctx, set, attr);
4784 static void nf_tables_setelem_notify(const struct nft_ctx *ctx,
4785 const struct nft_set *set,
4786 const struct nft_set_elem *elem,
4787 int event, u16 flags)
4789 struct net *net = ctx->net;
4790 u32 portid = ctx->portid;
4791 struct sk_buff *skb;
4794 if (!ctx->report && !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
4797 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
4801 err = nf_tables_fill_setelem_info(skb, ctx, 0, portid, event, flags,
4808 nfnetlink_send(skb, net, portid, NFNLGRP_NFTABLES, ctx->report,
4812 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
4815 static struct nft_trans *nft_trans_elem_alloc(struct nft_ctx *ctx,
4817 struct nft_set *set)
4819 struct nft_trans *trans;
4821 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_elem));
4825 nft_trans_elem_set(trans) = set;
4829 struct nft_expr *nft_set_elem_expr_alloc(const struct nft_ctx *ctx,
4830 const struct nft_set *set,
4831 const struct nlattr *attr)
4833 struct nft_expr *expr;
4836 expr = nft_expr_init(ctx, attr);
4841 if (!(expr->ops->type->flags & NFT_EXPR_STATEFUL))
4842 goto err_set_elem_expr;
4844 if (expr->ops->type->flags & NFT_EXPR_GC) {
4845 if (set->flags & NFT_SET_TIMEOUT)
4846 goto err_set_elem_expr;
4847 if (!set->ops->gc_init)
4848 goto err_set_elem_expr;
4849 set->ops->gc_init(set);
4855 nft_expr_destroy(ctx, expr);
4856 return ERR_PTR(err);
4859 void *nft_set_elem_init(const struct nft_set *set,
4860 const struct nft_set_ext_tmpl *tmpl,
4861 const u32 *key, const u32 *key_end,
4862 const u32 *data, u64 timeout, u64 expiration, gfp_t gfp)
4864 struct nft_set_ext *ext;
4867 elem = kzalloc(set->ops->elemsize + tmpl->len, gfp);
4871 ext = nft_set_elem_ext(set, elem);
4872 nft_set_ext_init(ext, tmpl);
4874 memcpy(nft_set_ext_key(ext), key, set->klen);
4875 if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY_END))
4876 memcpy(nft_set_ext_key_end(ext), key_end, set->klen);
4877 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
4878 memcpy(nft_set_ext_data(ext), data, set->dlen);
4879 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION)) {
4880 *nft_set_ext_expiration(ext) = get_jiffies_64() + expiration;
4881 if (expiration == 0)
4882 *nft_set_ext_expiration(ext) += timeout;
4884 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT))
4885 *nft_set_ext_timeout(ext) = timeout;
4890 static void nft_set_elem_expr_destroy(const struct nft_ctx *ctx,
4891 struct nft_expr *expr)
4893 if (expr->ops->destroy_clone) {
4894 expr->ops->destroy_clone(ctx, expr);
4895 module_put(expr->ops->type->owner);
4897 nf_tables_expr_destroy(ctx, expr);
4901 void nft_set_elem_destroy(const struct nft_set *set, void *elem,
4904 struct nft_set_ext *ext = nft_set_elem_ext(set, elem);
4905 struct nft_ctx ctx = {
4906 .net = read_pnet(&set->net),
4907 .family = set->table->family,
4910 nft_data_release(nft_set_ext_key(ext), NFT_DATA_VALUE);
4911 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
4912 nft_data_release(nft_set_ext_data(ext), set->dtype);
4913 if (destroy_expr && nft_set_ext_exists(ext, NFT_SET_EXT_EXPR))
4914 nft_set_elem_expr_destroy(&ctx, nft_set_ext_expr(ext));
4916 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
4917 (*nft_set_ext_obj(ext))->use--;
4920 EXPORT_SYMBOL_GPL(nft_set_elem_destroy);
4922 /* Only called from commit path, nft_set_elem_deactivate() already deals with
4923 * the refcounting from the preparation phase.
4925 static void nf_tables_set_elem_destroy(const struct nft_ctx *ctx,
4926 const struct nft_set *set, void *elem)
4928 struct nft_set_ext *ext = nft_set_elem_ext(set, elem);
4930 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPR))
4931 nft_set_elem_expr_destroy(ctx, nft_set_ext_expr(ext));
4936 static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
4937 const struct nlattr *attr, u32 nlmsg_flags)
4939 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
4940 u8 genmask = nft_genmask_next(ctx->net);
4941 struct nft_set_ext_tmpl tmpl;
4942 struct nft_set_ext *ext, *ext2;
4943 struct nft_set_elem elem;
4944 struct nft_set_binding *binding;
4945 struct nft_object *obj = NULL;
4946 struct nft_expr *expr = NULL;
4947 struct nft_userdata *udata;
4948 struct nft_data_desc desc;
4949 struct nft_data data;
4950 enum nft_registers dreg;
4951 struct nft_trans *trans;
4958 err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr,
4959 nft_set_elem_policy, NULL);
4963 if (nla[NFTA_SET_ELEM_KEY] == NULL)
4966 nft_set_ext_prepare(&tmpl);
4968 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
4972 nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS);
4974 if (set->flags & NFT_SET_MAP) {
4975 if (nla[NFTA_SET_ELEM_DATA] == NULL &&
4976 !(flags & NFT_SET_ELEM_INTERVAL_END))
4979 if (nla[NFTA_SET_ELEM_DATA] != NULL)
4983 if ((flags & NFT_SET_ELEM_INTERVAL_END) &&
4984 (nla[NFTA_SET_ELEM_DATA] ||
4985 nla[NFTA_SET_ELEM_OBJREF] ||
4986 nla[NFTA_SET_ELEM_TIMEOUT] ||
4987 nla[NFTA_SET_ELEM_EXPIRATION] ||
4988 nla[NFTA_SET_ELEM_USERDATA] ||
4989 nla[NFTA_SET_ELEM_EXPR]))
4993 if (nla[NFTA_SET_ELEM_TIMEOUT] != NULL) {
4994 if (!(set->flags & NFT_SET_TIMEOUT))
4996 err = nf_msecs_to_jiffies64(nla[NFTA_SET_ELEM_TIMEOUT],
5000 } else if (set->flags & NFT_SET_TIMEOUT) {
5001 timeout = set->timeout;
5005 if (nla[NFTA_SET_ELEM_EXPIRATION] != NULL) {
5006 if (!(set->flags & NFT_SET_TIMEOUT))
5008 err = nf_msecs_to_jiffies64(nla[NFTA_SET_ELEM_EXPIRATION],
5014 if (nla[NFTA_SET_ELEM_EXPR] != NULL) {
5015 expr = nft_set_elem_expr_alloc(ctx, set,
5016 nla[NFTA_SET_ELEM_EXPR]);
5018 return PTR_ERR(expr);
5021 if (set->expr && set->expr->ops != expr->ops)
5022 goto err_set_elem_expr;
5023 } else if (set->expr) {
5024 expr = kzalloc(set->expr->ops->size, GFP_KERNEL);
5028 err = nft_expr_clone(expr, set->expr);
5030 goto err_set_elem_expr;
5033 err = nft_setelem_parse_key(ctx, set, &elem.key.val,
5034 nla[NFTA_SET_ELEM_KEY]);
5036 goto err_set_elem_expr;
5038 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, set->klen);
5040 if (nla[NFTA_SET_ELEM_KEY_END]) {
5041 err = nft_setelem_parse_key(ctx, set, &elem.key_end.val,
5042 nla[NFTA_SET_ELEM_KEY_END]);
5046 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY_END, set->klen);
5050 nft_set_ext_add(&tmpl, NFT_SET_EXT_EXPIRATION);
5051 if (timeout != set->timeout)
5052 nft_set_ext_add(&tmpl, NFT_SET_EXT_TIMEOUT);
5056 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_EXPR,
5059 if (nla[NFTA_SET_ELEM_OBJREF] != NULL) {
5060 if (!(set->flags & NFT_SET_OBJECT)) {
5062 goto err_parse_key_end;
5064 obj = nft_obj_lookup(ctx->net, ctx->table,
5065 nla[NFTA_SET_ELEM_OBJREF],
5066 set->objtype, genmask);
5069 goto err_parse_key_end;
5071 nft_set_ext_add(&tmpl, NFT_SET_EXT_OBJREF);
5074 if (nla[NFTA_SET_ELEM_DATA] != NULL) {
5075 err = nft_data_init(ctx, &data, sizeof(data), &desc,
5076 nla[NFTA_SET_ELEM_DATA]);
5078 goto err_parse_key_end;
5081 if (set->dtype != NFT_DATA_VERDICT && desc.len != set->dlen)
5082 goto err_parse_data;
5084 dreg = nft_type_to_reg(set->dtype);
5085 list_for_each_entry(binding, &set->bindings, list) {
5086 struct nft_ctx bind_ctx = {
5088 .family = ctx->family,
5089 .table = ctx->table,
5090 .chain = (struct nft_chain *)binding->chain,
5093 if (!(binding->flags & NFT_SET_MAP))
5096 err = nft_validate_register_store(&bind_ctx, dreg,
5098 desc.type, desc.len);
5100 goto err_parse_data;
5102 if (desc.type == NFT_DATA_VERDICT &&
5103 (data.verdict.code == NFT_GOTO ||
5104 data.verdict.code == NFT_JUMP))
5105 nft_validate_state_update(ctx->net,
5109 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_DATA, desc.len);
5112 /* The full maximum length of userdata can exceed the maximum
5113 * offset value (U8_MAX) for following extensions, therefor it
5114 * must be the last extension added.
5117 if (nla[NFTA_SET_ELEM_USERDATA] != NULL) {
5118 ulen = nla_len(nla[NFTA_SET_ELEM_USERDATA]);
5120 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_USERDATA,
5125 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data,
5126 elem.key_end.val.data, data.data,
5127 timeout, expiration, GFP_KERNEL);
5128 if (elem.priv == NULL)
5129 goto err_parse_data;
5131 ext = nft_set_elem_ext(set, elem.priv);
5133 *nft_set_ext_flags(ext) = flags;
5135 udata = nft_set_ext_userdata(ext);
5136 udata->len = ulen - 1;
5137 nla_memcpy(&udata->data, nla[NFTA_SET_ELEM_USERDATA], ulen);
5140 *nft_set_ext_obj(ext) = obj;
5144 memcpy(nft_set_ext_expr(ext), expr, expr->ops->size);
5149 trans = nft_trans_elem_alloc(ctx, NFT_MSG_NEWSETELEM, set);
5153 ext->genmask = nft_genmask_cur(ctx->net) | NFT_SET_ELEM_BUSY_MASK;
5154 err = set->ops->insert(ctx->net, set, &elem, &ext2);
5156 if (err == -EEXIST) {
5157 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) ^
5158 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) ||
5159 nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) ^
5160 nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF)) {
5162 goto err_element_clash;
5164 if ((nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
5165 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) &&
5166 memcmp(nft_set_ext_data(ext),
5167 nft_set_ext_data(ext2), set->dlen) != 0) ||
5168 (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) &&
5169 nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF) &&
5170 *nft_set_ext_obj(ext) != *nft_set_ext_obj(ext2)))
5172 else if (!(nlmsg_flags & NLM_F_EXCL))
5174 } else if (err == -ENOTEMPTY) {
5175 /* ENOTEMPTY reports overlapping between this element
5176 * and an existing one.
5180 goto err_element_clash;
5184 !atomic_add_unless(&set->nelems, 1, set->size + set->ndeact)) {
5189 nft_trans_elem(trans) = elem;
5190 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
5194 set->ops->remove(ctx->net, set, &elem);
5201 nf_tables_set_elem_destroy(ctx, set, elem.priv);
5203 if (nla[NFTA_SET_ELEM_DATA] != NULL)
5204 nft_data_release(&data, desc.type);
5206 nft_data_release(&elem.key_end.val, NFT_DATA_VALUE);
5208 nft_data_release(&elem.key.val, NFT_DATA_VALUE);
5211 nft_expr_destroy(ctx, expr);
5216 static int nf_tables_newsetelem(struct net *net, struct sock *nlsk,
5217 struct sk_buff *skb, const struct nlmsghdr *nlh,
5218 const struct nlattr * const nla[],
5219 struct netlink_ext_ack *extack)
5221 u8 genmask = nft_genmask_next(net);
5222 const struct nlattr *attr;
5223 struct nft_set *set;
5227 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL)
5230 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, extack,
5235 set = nft_set_lookup_global(net, ctx.table, nla[NFTA_SET_ELEM_LIST_SET],
5236 nla[NFTA_SET_ELEM_LIST_SET_ID], genmask);
5238 return PTR_ERR(set);
5240 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
5243 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
5244 err = nft_add_set_elem(&ctx, set, attr, nlh->nlmsg_flags);
5249 if (net->nft.validate_state == NFT_VALIDATE_DO)
5250 return nft_table_validate(net, ctx.table);
5256 * nft_data_hold - hold a nft_data item
5258 * @data: struct nft_data to release
5259 * @type: type of data
5261 * Hold a nft_data item. NFT_DATA_VALUE types can be silently discarded,
5262 * NFT_DATA_VERDICT bumps the reference to chains in case of NFT_JUMP and
5263 * NFT_GOTO verdicts. This function must be called on active data objects
5264 * from the second phase of the commit protocol.
5266 void nft_data_hold(const struct nft_data *data, enum nft_data_types type)
5268 if (type == NFT_DATA_VERDICT) {
5269 switch (data->verdict.code) {
5272 data->verdict.chain->use++;
5278 static void nft_set_elem_activate(const struct net *net,
5279 const struct nft_set *set,
5280 struct nft_set_elem *elem)
5282 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
5284 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
5285 nft_data_hold(nft_set_ext_data(ext), set->dtype);
5286 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
5287 (*nft_set_ext_obj(ext))->use++;
5290 static void nft_set_elem_deactivate(const struct net *net,
5291 const struct nft_set *set,
5292 struct nft_set_elem *elem)
5294 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
5296 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
5297 nft_data_release(nft_set_ext_data(ext), set->dtype);
5298 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
5299 (*nft_set_ext_obj(ext))->use--;
5302 static int nft_del_setelem(struct nft_ctx *ctx, struct nft_set *set,
5303 const struct nlattr *attr)
5305 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
5306 struct nft_set_ext_tmpl tmpl;
5307 struct nft_set_elem elem;
5308 struct nft_set_ext *ext;
5309 struct nft_trans *trans;
5314 err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr,
5315 nft_set_elem_policy, NULL);
5319 if (nla[NFTA_SET_ELEM_KEY] == NULL)
5322 nft_set_ext_prepare(&tmpl);
5324 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
5328 nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS);
5330 err = nft_setelem_parse_key(ctx, set, &elem.key.val,
5331 nla[NFTA_SET_ELEM_KEY]);
5335 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, set->klen);
5337 if (nla[NFTA_SET_ELEM_KEY_END]) {
5338 err = nft_setelem_parse_key(ctx, set, &elem.key_end.val,
5339 nla[NFTA_SET_ELEM_KEY_END]);
5343 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY_END, set->klen);
5347 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data,
5348 elem.key_end.val.data, NULL, 0, 0,
5350 if (elem.priv == NULL)
5353 ext = nft_set_elem_ext(set, elem.priv);
5355 *nft_set_ext_flags(ext) = flags;
5357 trans = nft_trans_elem_alloc(ctx, NFT_MSG_DELSETELEM, set);
5361 priv = set->ops->deactivate(ctx->net, set, &elem);
5369 nft_set_elem_deactivate(ctx->net, set, &elem);
5371 nft_trans_elem(trans) = elem;
5372 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
5380 nft_data_release(&elem.key.val, NFT_DATA_VALUE);
5384 static int nft_flush_set(const struct nft_ctx *ctx,
5385 struct nft_set *set,
5386 const struct nft_set_iter *iter,
5387 struct nft_set_elem *elem)
5389 struct nft_trans *trans;
5392 trans = nft_trans_alloc_gfp(ctx, NFT_MSG_DELSETELEM,
5393 sizeof(struct nft_trans_elem), GFP_ATOMIC);
5397 if (!set->ops->flush(ctx->net, set, elem->priv)) {
5403 nft_set_elem_deactivate(ctx->net, set, elem);
5404 nft_trans_elem_set(trans) = set;
5405 nft_trans_elem(trans) = *elem;
5406 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
5414 static int nf_tables_delsetelem(struct net *net, struct sock *nlsk,
5415 struct sk_buff *skb, const struct nlmsghdr *nlh,
5416 const struct nlattr * const nla[],
5417 struct netlink_ext_ack *extack)
5419 u8 genmask = nft_genmask_next(net);
5420 const struct nlattr *attr;
5421 struct nft_set *set;
5425 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, extack,
5430 set = nft_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET], genmask);
5432 return PTR_ERR(set);
5433 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
5436 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL) {
5437 struct nft_set_iter iter = {
5439 .fn = nft_flush_set,
5441 set->ops->walk(&ctx, set, &iter);
5446 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
5447 err = nft_del_setelem(&ctx, set, attr);
5456 void nft_set_gc_batch_release(struct rcu_head *rcu)
5458 struct nft_set_gc_batch *gcb;
5461 gcb = container_of(rcu, struct nft_set_gc_batch, head.rcu);
5462 for (i = 0; i < gcb->head.cnt; i++)
5463 nft_set_elem_destroy(gcb->head.set, gcb->elems[i], true);
5467 struct nft_set_gc_batch *nft_set_gc_batch_alloc(const struct nft_set *set,
5470 struct nft_set_gc_batch *gcb;
5472 gcb = kzalloc(sizeof(*gcb), gfp);
5475 gcb->head.set = set;
5484 * nft_register_obj- register nf_tables stateful object type
5487 * Registers the object type for use with nf_tables. Returns zero on
5488 * success or a negative errno code otherwise.
5490 int nft_register_obj(struct nft_object_type *obj_type)
5492 if (obj_type->type == NFT_OBJECT_UNSPEC)
5495 nfnl_lock(NFNL_SUBSYS_NFTABLES);
5496 list_add_rcu(&obj_type->list, &nf_tables_objects);
5497 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
5500 EXPORT_SYMBOL_GPL(nft_register_obj);
5503 * nft_unregister_obj - unregister nf_tables object type
5506 * Unregisters the object type for use with nf_tables.
5508 void nft_unregister_obj(struct nft_object_type *obj_type)
5510 nfnl_lock(NFNL_SUBSYS_NFTABLES);
5511 list_del_rcu(&obj_type->list);
5512 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
5514 EXPORT_SYMBOL_GPL(nft_unregister_obj);
5516 struct nft_object *nft_obj_lookup(const struct net *net,
5517 const struct nft_table *table,
5518 const struct nlattr *nla, u32 objtype,
5521 struct nft_object_hash_key k = { .table = table };
5522 char search[NFT_OBJ_MAXNAMELEN];
5523 struct rhlist_head *tmp, *list;
5524 struct nft_object *obj;
5526 nla_strlcpy(search, nla, sizeof(search));
5529 WARN_ON_ONCE(!rcu_read_lock_held() &&
5530 !lockdep_commit_lock_is_held(net));
5533 list = rhltable_lookup(&nft_objname_ht, &k, nft_objname_ht_params);
5537 rhl_for_each_entry_rcu(obj, tmp, list, rhlhead) {
5538 if (objtype == obj->ops->type->type &&
5539 nft_active_genmask(obj, genmask)) {
5546 return ERR_PTR(-ENOENT);
5548 EXPORT_SYMBOL_GPL(nft_obj_lookup);
5550 static struct nft_object *nft_obj_lookup_byhandle(const struct nft_table *table,
5551 const struct nlattr *nla,
5552 u32 objtype, u8 genmask)
5554 struct nft_object *obj;
5556 list_for_each_entry(obj, &table->objects, list) {
5557 if (be64_to_cpu(nla_get_be64(nla)) == obj->handle &&
5558 objtype == obj->ops->type->type &&
5559 nft_active_genmask(obj, genmask))
5562 return ERR_PTR(-ENOENT);
5565 static const struct nla_policy nft_obj_policy[NFTA_OBJ_MAX + 1] = {
5566 [NFTA_OBJ_TABLE] = { .type = NLA_STRING,
5567 .len = NFT_TABLE_MAXNAMELEN - 1 },
5568 [NFTA_OBJ_NAME] = { .type = NLA_STRING,
5569 .len = NFT_OBJ_MAXNAMELEN - 1 },
5570 [NFTA_OBJ_TYPE] = { .type = NLA_U32 },
5571 [NFTA_OBJ_DATA] = { .type = NLA_NESTED },
5572 [NFTA_OBJ_HANDLE] = { .type = NLA_U64},
5575 static struct nft_object *nft_obj_init(const struct nft_ctx *ctx,
5576 const struct nft_object_type *type,
5577 const struct nlattr *attr)
5580 const struct nft_object_ops *ops;
5581 struct nft_object *obj;
5584 tb = kmalloc_array(type->maxattr + 1, sizeof(*tb), GFP_KERNEL);
5589 err = nla_parse_nested_deprecated(tb, type->maxattr, attr,
5590 type->policy, NULL);
5594 memset(tb, 0, sizeof(tb[0]) * (type->maxattr + 1));
5597 if (type->select_ops) {
5598 ops = type->select_ops(ctx, (const struct nlattr * const *)tb);
5608 obj = kzalloc(sizeof(*obj) + ops->size, GFP_KERNEL);
5612 err = ops->init(ctx, (const struct nlattr * const *)tb, obj);
5625 return ERR_PTR(err);
5628 static int nft_object_dump(struct sk_buff *skb, unsigned int attr,
5629 struct nft_object *obj, bool reset)
5631 struct nlattr *nest;
5633 nest = nla_nest_start_noflag(skb, attr);
5635 goto nla_put_failure;
5636 if (obj->ops->dump(skb, obj, reset) < 0)
5637 goto nla_put_failure;
5638 nla_nest_end(skb, nest);
5645 static const struct nft_object_type *__nft_obj_type_get(u32 objtype)
5647 const struct nft_object_type *type;
5649 list_for_each_entry(type, &nf_tables_objects, list) {
5650 if (objtype == type->type)
5656 static const struct nft_object_type *
5657 nft_obj_type_get(struct net *net, u32 objtype)
5659 const struct nft_object_type *type;
5661 type = __nft_obj_type_get(objtype);
5662 if (type != NULL && try_module_get(type->owner))
5665 lockdep_nfnl_nft_mutex_not_held();
5666 #ifdef CONFIG_MODULES
5668 if (nft_request_module(net, "nft-obj-%u", objtype) == -EAGAIN)
5669 return ERR_PTR(-EAGAIN);
5672 return ERR_PTR(-ENOENT);
5675 static int nf_tables_updobj(const struct nft_ctx *ctx,
5676 const struct nft_object_type *type,
5677 const struct nlattr *attr,
5678 struct nft_object *obj)
5680 struct nft_object *newobj;
5681 struct nft_trans *trans;
5684 trans = nft_trans_alloc(ctx, NFT_MSG_NEWOBJ,
5685 sizeof(struct nft_trans_obj));
5689 newobj = nft_obj_init(ctx, type, attr);
5690 if (IS_ERR(newobj)) {
5691 err = PTR_ERR(newobj);
5692 goto err_free_trans;
5695 nft_trans_obj(trans) = obj;
5696 nft_trans_obj_update(trans) = true;
5697 nft_trans_obj_newobj(trans) = newobj;
5698 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
5707 static int nf_tables_newobj(struct net *net, struct sock *nlsk,
5708 struct sk_buff *skb, const struct nlmsghdr *nlh,
5709 const struct nlattr * const nla[],
5710 struct netlink_ext_ack *extack)
5712 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
5713 const struct nft_object_type *type;
5714 u8 genmask = nft_genmask_next(net);
5715 int family = nfmsg->nfgen_family;
5716 struct nft_table *table;
5717 struct nft_object *obj;
5722 if (!nla[NFTA_OBJ_TYPE] ||
5723 !nla[NFTA_OBJ_NAME] ||
5724 !nla[NFTA_OBJ_DATA])
5727 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask);
5728 if (IS_ERR(table)) {
5729 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
5730 return PTR_ERR(table);
5733 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
5734 obj = nft_obj_lookup(net, table, nla[NFTA_OBJ_NAME], objtype, genmask);
5737 if (err != -ENOENT) {
5738 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
5742 if (nlh->nlmsg_flags & NLM_F_EXCL) {
5743 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
5746 if (nlh->nlmsg_flags & NLM_F_REPLACE)
5749 type = __nft_obj_type_get(objtype);
5750 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
5752 return nf_tables_updobj(&ctx, type, nla[NFTA_OBJ_DATA], obj);
5755 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
5757 type = nft_obj_type_get(net, objtype);
5759 return PTR_ERR(type);
5761 obj = nft_obj_init(&ctx, type, nla[NFTA_OBJ_DATA]);
5766 obj->key.table = table;
5767 obj->handle = nf_tables_alloc_handle(table);
5769 obj->key.name = nla_strdup(nla[NFTA_OBJ_NAME], GFP_KERNEL);
5770 if (!obj->key.name) {
5775 err = nft_trans_obj_add(&ctx, NFT_MSG_NEWOBJ, obj);
5779 err = rhltable_insert(&nft_objname_ht, &obj->rhlhead,
5780 nft_objname_ht_params);
5784 list_add_tail_rcu(&obj->list, &table->objects);
5788 /* queued in transaction log */
5789 INIT_LIST_HEAD(&obj->list);
5792 kfree(obj->key.name);
5794 if (obj->ops->destroy)
5795 obj->ops->destroy(&ctx, obj);
5798 module_put(type->owner);
5802 static int nf_tables_fill_obj_info(struct sk_buff *skb, struct net *net,
5803 u32 portid, u32 seq, int event, u32 flags,
5804 int family, const struct nft_table *table,
5805 struct nft_object *obj, bool reset)
5807 struct nfgenmsg *nfmsg;
5808 struct nlmsghdr *nlh;
5810 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
5811 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
5813 goto nla_put_failure;
5815 nfmsg = nlmsg_data(nlh);
5816 nfmsg->nfgen_family = family;
5817 nfmsg->version = NFNETLINK_V0;
5818 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
5820 if (nla_put_string(skb, NFTA_OBJ_TABLE, table->name) ||
5821 nla_put_string(skb, NFTA_OBJ_NAME, obj->key.name) ||
5822 nla_put_be32(skb, NFTA_OBJ_TYPE, htonl(obj->ops->type->type)) ||
5823 nla_put_be32(skb, NFTA_OBJ_USE, htonl(obj->use)) ||
5824 nft_object_dump(skb, NFTA_OBJ_DATA, obj, reset) ||
5825 nla_put_be64(skb, NFTA_OBJ_HANDLE, cpu_to_be64(obj->handle),
5827 goto nla_put_failure;
5829 nlmsg_end(skb, nlh);
5833 nlmsg_trim(skb, nlh);
5837 struct nft_obj_filter {
5842 static int nf_tables_dump_obj(struct sk_buff *skb, struct netlink_callback *cb)
5844 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
5845 const struct nft_table *table;
5846 unsigned int idx = 0, s_idx = cb->args[0];
5847 struct nft_obj_filter *filter = cb->data;
5848 struct net *net = sock_net(skb->sk);
5849 int family = nfmsg->nfgen_family;
5850 struct nft_object *obj;
5853 if (NFNL_MSG_TYPE(cb->nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET)
5857 cb->seq = net->nft.base_seq;
5859 list_for_each_entry_rcu(table, &net->nft.tables, list) {
5860 if (family != NFPROTO_UNSPEC && family != table->family)
5863 list_for_each_entry_rcu(obj, &table->objects, list) {
5864 if (!nft_is_active(net, obj))
5869 memset(&cb->args[1], 0,
5870 sizeof(cb->args) - sizeof(cb->args[0]));
5871 if (filter && filter->table &&
5872 strcmp(filter->table, table->name))
5875 filter->type != NFT_OBJECT_UNSPEC &&
5876 obj->ops->type->type != filter->type)
5879 if (nf_tables_fill_obj_info(skb, net, NETLINK_CB(cb->skb).portid,
5882 NLM_F_MULTI | NLM_F_APPEND,
5883 table->family, table,
5887 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
5899 static int nf_tables_dump_obj_start(struct netlink_callback *cb)
5901 const struct nlattr * const *nla = cb->data;
5902 struct nft_obj_filter *filter = NULL;
5904 if (nla[NFTA_OBJ_TABLE] || nla[NFTA_OBJ_TYPE]) {
5905 filter = kzalloc(sizeof(*filter), GFP_ATOMIC);
5909 if (nla[NFTA_OBJ_TABLE]) {
5910 filter->table = nla_strdup(nla[NFTA_OBJ_TABLE], GFP_ATOMIC);
5911 if (!filter->table) {
5917 if (nla[NFTA_OBJ_TYPE])
5918 filter->type = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
5925 static int nf_tables_dump_obj_done(struct netlink_callback *cb)
5927 struct nft_obj_filter *filter = cb->data;
5930 kfree(filter->table);
5937 /* called with rcu_read_lock held */
5938 static int nf_tables_getobj(struct net *net, struct sock *nlsk,
5939 struct sk_buff *skb, const struct nlmsghdr *nlh,
5940 const struct nlattr * const nla[],
5941 struct netlink_ext_ack *extack)
5943 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
5944 u8 genmask = nft_genmask_cur(net);
5945 int family = nfmsg->nfgen_family;
5946 const struct nft_table *table;
5947 struct nft_object *obj;
5948 struct sk_buff *skb2;
5953 if (nlh->nlmsg_flags & NLM_F_DUMP) {
5954 struct netlink_dump_control c = {
5955 .start = nf_tables_dump_obj_start,
5956 .dump = nf_tables_dump_obj,
5957 .done = nf_tables_dump_obj_done,
5958 .module = THIS_MODULE,
5959 .data = (void *)nla,
5962 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
5965 if (!nla[NFTA_OBJ_NAME] ||
5966 !nla[NFTA_OBJ_TYPE])
5969 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask);
5970 if (IS_ERR(table)) {
5971 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
5972 return PTR_ERR(table);
5975 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
5976 obj = nft_obj_lookup(net, table, nla[NFTA_OBJ_NAME], objtype, genmask);
5978 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
5979 return PTR_ERR(obj);
5982 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
5986 if (NFNL_MSG_TYPE(nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET)
5989 err = nf_tables_fill_obj_info(skb2, net, NETLINK_CB(skb).portid,
5990 nlh->nlmsg_seq, NFT_MSG_NEWOBJ, 0,
5991 family, table, obj, reset);
5995 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
6001 static void nft_obj_destroy(const struct nft_ctx *ctx, struct nft_object *obj)
6003 if (obj->ops->destroy)
6004 obj->ops->destroy(ctx, obj);
6006 module_put(obj->ops->type->owner);
6007 kfree(obj->key.name);
6011 static int nf_tables_delobj(struct net *net, struct sock *nlsk,
6012 struct sk_buff *skb, const struct nlmsghdr *nlh,
6013 const struct nlattr * const nla[],
6014 struct netlink_ext_ack *extack)
6016 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
6017 u8 genmask = nft_genmask_next(net);
6018 int family = nfmsg->nfgen_family;
6019 const struct nlattr *attr;
6020 struct nft_table *table;
6021 struct nft_object *obj;
6025 if (!nla[NFTA_OBJ_TYPE] ||
6026 (!nla[NFTA_OBJ_NAME] && !nla[NFTA_OBJ_HANDLE]))
6029 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask);
6030 if (IS_ERR(table)) {
6031 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
6032 return PTR_ERR(table);
6035 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
6036 if (nla[NFTA_OBJ_HANDLE]) {
6037 attr = nla[NFTA_OBJ_HANDLE];
6038 obj = nft_obj_lookup_byhandle(table, attr, objtype, genmask);
6040 attr = nla[NFTA_OBJ_NAME];
6041 obj = nft_obj_lookup(net, table, attr, objtype, genmask);
6045 NL_SET_BAD_ATTR(extack, attr);
6046 return PTR_ERR(obj);
6049 NL_SET_BAD_ATTR(extack, attr);
6053 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
6055 return nft_delobj(&ctx, obj);
6058 void nft_obj_notify(struct net *net, const struct nft_table *table,
6059 struct nft_object *obj, u32 portid, u32 seq, int event,
6060 int family, int report, gfp_t gfp)
6062 struct sk_buff *skb;
6066 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
6069 skb = nlmsg_new(NLMSG_GOODSIZE, gfp);
6073 err = nf_tables_fill_obj_info(skb, net, portid, seq, event, 0, family,
6080 nfnetlink_send(skb, net, portid, NFNLGRP_NFTABLES, report, gfp);
6083 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
6085 EXPORT_SYMBOL_GPL(nft_obj_notify);
6087 static void nf_tables_obj_notify(const struct nft_ctx *ctx,
6088 struct nft_object *obj, int event)
6090 nft_obj_notify(ctx->net, ctx->table, obj, ctx->portid, ctx->seq, event,
6091 ctx->family, ctx->report, GFP_KERNEL);
6097 void nft_register_flowtable_type(struct nf_flowtable_type *type)
6099 nfnl_lock(NFNL_SUBSYS_NFTABLES);
6100 list_add_tail_rcu(&type->list, &nf_tables_flowtables);
6101 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
6103 EXPORT_SYMBOL_GPL(nft_register_flowtable_type);
6105 void nft_unregister_flowtable_type(struct nf_flowtable_type *type)
6107 nfnl_lock(NFNL_SUBSYS_NFTABLES);
6108 list_del_rcu(&type->list);
6109 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
6111 EXPORT_SYMBOL_GPL(nft_unregister_flowtable_type);
6113 static const struct nla_policy nft_flowtable_policy[NFTA_FLOWTABLE_MAX + 1] = {
6114 [NFTA_FLOWTABLE_TABLE] = { .type = NLA_STRING,
6115 .len = NFT_NAME_MAXLEN - 1 },
6116 [NFTA_FLOWTABLE_NAME] = { .type = NLA_STRING,
6117 .len = NFT_NAME_MAXLEN - 1 },
6118 [NFTA_FLOWTABLE_HOOK] = { .type = NLA_NESTED },
6119 [NFTA_FLOWTABLE_HANDLE] = { .type = NLA_U64 },
6120 [NFTA_FLOWTABLE_FLAGS] = { .type = NLA_U32 },
6123 struct nft_flowtable *nft_flowtable_lookup(const struct nft_table *table,
6124 const struct nlattr *nla, u8 genmask)
6126 struct nft_flowtable *flowtable;
6128 list_for_each_entry_rcu(flowtable, &table->flowtables, list) {
6129 if (!nla_strcmp(nla, flowtable->name) &&
6130 nft_active_genmask(flowtable, genmask))
6133 return ERR_PTR(-ENOENT);
6135 EXPORT_SYMBOL_GPL(nft_flowtable_lookup);
6137 void nf_tables_deactivate_flowtable(const struct nft_ctx *ctx,
6138 struct nft_flowtable *flowtable,
6139 enum nft_trans_phase phase)
6142 case NFT_TRANS_PREPARE:
6143 case NFT_TRANS_ABORT:
6144 case NFT_TRANS_RELEASE:
6151 EXPORT_SYMBOL_GPL(nf_tables_deactivate_flowtable);
6153 static struct nft_flowtable *
6154 nft_flowtable_lookup_byhandle(const struct nft_table *table,
6155 const struct nlattr *nla, u8 genmask)
6157 struct nft_flowtable *flowtable;
6159 list_for_each_entry(flowtable, &table->flowtables, list) {
6160 if (be64_to_cpu(nla_get_be64(nla)) == flowtable->handle &&
6161 nft_active_genmask(flowtable, genmask))
6164 return ERR_PTR(-ENOENT);
6167 static const struct nla_policy nft_flowtable_hook_policy[NFTA_FLOWTABLE_HOOK_MAX + 1] = {
6168 [NFTA_FLOWTABLE_HOOK_NUM] = { .type = NLA_U32 },
6169 [NFTA_FLOWTABLE_HOOK_PRIORITY] = { .type = NLA_U32 },
6170 [NFTA_FLOWTABLE_HOOK_DEVS] = { .type = NLA_NESTED },
6173 static int nf_tables_flowtable_parse_hook(const struct nft_ctx *ctx,
6174 const struct nlattr *attr,
6175 struct nft_flowtable *flowtable)
6177 struct nlattr *tb[NFTA_FLOWTABLE_HOOK_MAX + 1];
6178 struct nft_hook *hook;
6179 int hooknum, priority;
6182 err = nla_parse_nested_deprecated(tb, NFTA_FLOWTABLE_HOOK_MAX, attr,
6183 nft_flowtable_hook_policy, NULL);
6187 if (!tb[NFTA_FLOWTABLE_HOOK_NUM] ||
6188 !tb[NFTA_FLOWTABLE_HOOK_PRIORITY] ||
6189 !tb[NFTA_FLOWTABLE_HOOK_DEVS])
6192 hooknum = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_NUM]));
6193 if (hooknum != NF_NETDEV_INGRESS)
6196 priority = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_PRIORITY]));
6198 err = nf_tables_parse_netdev_hooks(ctx->net,
6199 tb[NFTA_FLOWTABLE_HOOK_DEVS],
6200 &flowtable->hook_list);
6204 flowtable->hooknum = hooknum;
6205 flowtable->data.priority = priority;
6207 list_for_each_entry(hook, &flowtable->hook_list, list) {
6208 hook->ops.pf = NFPROTO_NETDEV;
6209 hook->ops.hooknum = hooknum;
6210 hook->ops.priority = priority;
6211 hook->ops.priv = &flowtable->data;
6212 hook->ops.hook = flowtable->data.type->hook;
6218 static const struct nf_flowtable_type *__nft_flowtable_type_get(u8 family)
6220 const struct nf_flowtable_type *type;
6222 list_for_each_entry(type, &nf_tables_flowtables, list) {
6223 if (family == type->family)
6229 static const struct nf_flowtable_type *
6230 nft_flowtable_type_get(struct net *net, u8 family)
6232 const struct nf_flowtable_type *type;
6234 type = __nft_flowtable_type_get(family);
6235 if (type != NULL && try_module_get(type->owner))
6238 lockdep_nfnl_nft_mutex_not_held();
6239 #ifdef CONFIG_MODULES
6241 if (nft_request_module(net, "nf-flowtable-%u", family) == -EAGAIN)
6242 return ERR_PTR(-EAGAIN);
6245 return ERR_PTR(-ENOENT);
6248 /* Only called from error and netdev event paths. */
6249 static void nft_unregister_flowtable_hook(struct net *net,
6250 struct nft_flowtable *flowtable,
6251 struct nft_hook *hook)
6253 nf_unregister_net_hook(net, &hook->ops);
6254 flowtable->data.type->setup(&flowtable->data, hook->ops.dev,
6258 static void nft_unregister_flowtable_net_hooks(struct net *net,
6259 struct nft_flowtable *flowtable)
6261 struct nft_hook *hook;
6263 list_for_each_entry(hook, &flowtable->hook_list, list)
6264 nf_unregister_net_hook(net, &hook->ops);
6267 static int nft_register_flowtable_net_hooks(struct net *net,
6268 struct nft_table *table,
6269 struct nft_flowtable *flowtable)
6271 struct nft_hook *hook, *hook2, *next;
6272 struct nft_flowtable *ft;
6275 list_for_each_entry(hook, &flowtable->hook_list, list) {
6276 list_for_each_entry(ft, &table->flowtables, list) {
6277 list_for_each_entry(hook2, &ft->hook_list, list) {
6278 if (hook->ops.dev == hook2->ops.dev &&
6279 hook->ops.pf == hook2->ops.pf) {
6281 goto err_unregister_net_hooks;
6286 err = flowtable->data.type->setup(&flowtable->data,
6290 goto err_unregister_net_hooks;
6292 err = nf_register_net_hook(net, &hook->ops);
6294 flowtable->data.type->setup(&flowtable->data,
6297 goto err_unregister_net_hooks;
6305 err_unregister_net_hooks:
6306 list_for_each_entry_safe(hook, next, &flowtable->hook_list, list) {
6310 nft_unregister_flowtable_hook(net, flowtable, hook);
6311 list_del_rcu(&hook->list);
6312 kfree_rcu(hook, rcu);
6318 static int nf_tables_newflowtable(struct net *net, struct sock *nlsk,
6319 struct sk_buff *skb,
6320 const struct nlmsghdr *nlh,
6321 const struct nlattr * const nla[],
6322 struct netlink_ext_ack *extack)
6324 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
6325 const struct nf_flowtable_type *type;
6326 u8 genmask = nft_genmask_next(net);
6327 int family = nfmsg->nfgen_family;
6328 struct nft_flowtable *flowtable;
6329 struct nft_hook *hook, *next;
6330 struct nft_table *table;
6334 if (!nla[NFTA_FLOWTABLE_TABLE] ||
6335 !nla[NFTA_FLOWTABLE_NAME] ||
6336 !nla[NFTA_FLOWTABLE_HOOK])
6339 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
6341 if (IS_ERR(table)) {
6342 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_TABLE]);
6343 return PTR_ERR(table);
6346 flowtable = nft_flowtable_lookup(table, nla[NFTA_FLOWTABLE_NAME],
6348 if (IS_ERR(flowtable)) {
6349 err = PTR_ERR(flowtable);
6350 if (err != -ENOENT) {
6351 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]);
6355 if (nlh->nlmsg_flags & NLM_F_EXCL) {
6356 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]);
6363 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
6365 flowtable = kzalloc(sizeof(*flowtable), GFP_KERNEL);
6369 flowtable->table = table;
6370 flowtable->handle = nf_tables_alloc_handle(table);
6371 INIT_LIST_HEAD(&flowtable->hook_list);
6373 flowtable->name = nla_strdup(nla[NFTA_FLOWTABLE_NAME], GFP_KERNEL);
6374 if (!flowtable->name) {
6379 type = nft_flowtable_type_get(net, family);
6381 err = PTR_ERR(type);
6385 if (nla[NFTA_FLOWTABLE_FLAGS]) {
6386 flowtable->data.flags =
6387 ntohl(nla_get_be32(nla[NFTA_FLOWTABLE_FLAGS]));
6388 if (flowtable->data.flags & ~NFT_FLOWTABLE_MASK)
6392 write_pnet(&flowtable->data.net, net);
6393 flowtable->data.type = type;
6394 err = type->init(&flowtable->data);
6398 err = nf_tables_flowtable_parse_hook(&ctx, nla[NFTA_FLOWTABLE_HOOK],
6403 err = nft_register_flowtable_net_hooks(ctx.net, table, flowtable);
6405 list_for_each_entry_safe(hook, next, &flowtable->hook_list, list) {
6406 list_del_rcu(&hook->list);
6407 kfree_rcu(hook, rcu);
6412 err = nft_trans_flowtable_add(&ctx, NFT_MSG_NEWFLOWTABLE, flowtable);
6416 list_add_tail_rcu(&flowtable->list, &table->flowtables);
6421 list_for_each_entry_safe(hook, next, &flowtable->hook_list, list) {
6422 nft_unregister_flowtable_hook(net, flowtable, hook);
6423 list_del_rcu(&hook->list);
6424 kfree_rcu(hook, rcu);
6427 flowtable->data.type->free(&flowtable->data);
6429 module_put(type->owner);
6431 kfree(flowtable->name);
6437 static int nf_tables_delflowtable(struct net *net, struct sock *nlsk,
6438 struct sk_buff *skb,
6439 const struct nlmsghdr *nlh,
6440 const struct nlattr * const nla[],
6441 struct netlink_ext_ack *extack)
6443 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
6444 u8 genmask = nft_genmask_next(net);
6445 int family = nfmsg->nfgen_family;
6446 struct nft_flowtable *flowtable;
6447 const struct nlattr *attr;
6448 struct nft_table *table;
6451 if (!nla[NFTA_FLOWTABLE_TABLE] ||
6452 (!nla[NFTA_FLOWTABLE_NAME] &&
6453 !nla[NFTA_FLOWTABLE_HANDLE]))
6456 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
6458 if (IS_ERR(table)) {
6459 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_TABLE]);
6460 return PTR_ERR(table);
6463 if (nla[NFTA_FLOWTABLE_HANDLE]) {
6464 attr = nla[NFTA_FLOWTABLE_HANDLE];
6465 flowtable = nft_flowtable_lookup_byhandle(table, attr, genmask);
6467 attr = nla[NFTA_FLOWTABLE_NAME];
6468 flowtable = nft_flowtable_lookup(table, attr, genmask);
6471 if (IS_ERR(flowtable)) {
6472 NL_SET_BAD_ATTR(extack, attr);
6473 return PTR_ERR(flowtable);
6475 if (flowtable->use > 0) {
6476 NL_SET_BAD_ATTR(extack, attr);
6480 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
6482 return nft_delflowtable(&ctx, flowtable);
6485 static int nf_tables_fill_flowtable_info(struct sk_buff *skb, struct net *net,
6486 u32 portid, u32 seq, int event,
6487 u32 flags, int family,
6488 struct nft_flowtable *flowtable)
6490 struct nlattr *nest, *nest_devs;
6491 struct nfgenmsg *nfmsg;
6492 struct nft_hook *hook;
6493 struct nlmsghdr *nlh;
6495 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
6496 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
6498 goto nla_put_failure;
6500 nfmsg = nlmsg_data(nlh);
6501 nfmsg->nfgen_family = family;
6502 nfmsg->version = NFNETLINK_V0;
6503 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
6505 if (nla_put_string(skb, NFTA_FLOWTABLE_TABLE, flowtable->table->name) ||
6506 nla_put_string(skb, NFTA_FLOWTABLE_NAME, flowtable->name) ||
6507 nla_put_be32(skb, NFTA_FLOWTABLE_USE, htonl(flowtable->use)) ||
6508 nla_put_be64(skb, NFTA_FLOWTABLE_HANDLE, cpu_to_be64(flowtable->handle),
6509 NFTA_FLOWTABLE_PAD) ||
6510 nla_put_be32(skb, NFTA_FLOWTABLE_FLAGS, htonl(flowtable->data.flags)))
6511 goto nla_put_failure;
6513 nest = nla_nest_start_noflag(skb, NFTA_FLOWTABLE_HOOK);
6515 goto nla_put_failure;
6516 if (nla_put_be32(skb, NFTA_FLOWTABLE_HOOK_NUM, htonl(flowtable->hooknum)) ||
6517 nla_put_be32(skb, NFTA_FLOWTABLE_HOOK_PRIORITY, htonl(flowtable->data.priority)))
6518 goto nla_put_failure;
6520 nest_devs = nla_nest_start_noflag(skb, NFTA_FLOWTABLE_HOOK_DEVS);
6522 goto nla_put_failure;
6524 list_for_each_entry_rcu(hook, &flowtable->hook_list, list) {
6525 if (nla_put_string(skb, NFTA_DEVICE_NAME, hook->ops.dev->name))
6526 goto nla_put_failure;
6528 nla_nest_end(skb, nest_devs);
6529 nla_nest_end(skb, nest);
6531 nlmsg_end(skb, nlh);
6535 nlmsg_trim(skb, nlh);
6539 struct nft_flowtable_filter {
6543 static int nf_tables_dump_flowtable(struct sk_buff *skb,
6544 struct netlink_callback *cb)
6546 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
6547 struct nft_flowtable_filter *filter = cb->data;
6548 unsigned int idx = 0, s_idx = cb->args[0];
6549 struct net *net = sock_net(skb->sk);
6550 int family = nfmsg->nfgen_family;
6551 struct nft_flowtable *flowtable;
6552 const struct nft_table *table;
6555 cb->seq = net->nft.base_seq;
6557 list_for_each_entry_rcu(table, &net->nft.tables, list) {
6558 if (family != NFPROTO_UNSPEC && family != table->family)
6561 list_for_each_entry_rcu(flowtable, &table->flowtables, list) {
6562 if (!nft_is_active(net, flowtable))
6567 memset(&cb->args[1], 0,
6568 sizeof(cb->args) - sizeof(cb->args[0]));
6569 if (filter && filter->table &&
6570 strcmp(filter->table, table->name))
6573 if (nf_tables_fill_flowtable_info(skb, net, NETLINK_CB(cb->skb).portid,
6575 NFT_MSG_NEWFLOWTABLE,
6576 NLM_F_MULTI | NLM_F_APPEND,
6577 table->family, flowtable) < 0)
6580 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
6592 static int nf_tables_dump_flowtable_start(struct netlink_callback *cb)
6594 const struct nlattr * const *nla = cb->data;
6595 struct nft_flowtable_filter *filter = NULL;
6597 if (nla[NFTA_FLOWTABLE_TABLE]) {
6598 filter = kzalloc(sizeof(*filter), GFP_ATOMIC);
6602 filter->table = nla_strdup(nla[NFTA_FLOWTABLE_TABLE],
6604 if (!filter->table) {
6614 static int nf_tables_dump_flowtable_done(struct netlink_callback *cb)
6616 struct nft_flowtable_filter *filter = cb->data;
6621 kfree(filter->table);
6627 /* called with rcu_read_lock held */
6628 static int nf_tables_getflowtable(struct net *net, struct sock *nlsk,
6629 struct sk_buff *skb,
6630 const struct nlmsghdr *nlh,
6631 const struct nlattr * const nla[],
6632 struct netlink_ext_ack *extack)
6634 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
6635 u8 genmask = nft_genmask_cur(net);
6636 int family = nfmsg->nfgen_family;
6637 struct nft_flowtable *flowtable;
6638 const struct nft_table *table;
6639 struct sk_buff *skb2;
6642 if (nlh->nlmsg_flags & NLM_F_DUMP) {
6643 struct netlink_dump_control c = {
6644 .start = nf_tables_dump_flowtable_start,
6645 .dump = nf_tables_dump_flowtable,
6646 .done = nf_tables_dump_flowtable_done,
6647 .module = THIS_MODULE,
6648 .data = (void *)nla,
6651 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
6654 if (!nla[NFTA_FLOWTABLE_NAME])
6657 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
6660 return PTR_ERR(table);
6662 flowtable = nft_flowtable_lookup(table, nla[NFTA_FLOWTABLE_NAME],
6664 if (IS_ERR(flowtable))
6665 return PTR_ERR(flowtable);
6667 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
6671 err = nf_tables_fill_flowtable_info(skb2, net, NETLINK_CB(skb).portid,
6673 NFT_MSG_NEWFLOWTABLE, 0, family,
6678 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
6684 static void nf_tables_flowtable_notify(struct nft_ctx *ctx,
6685 struct nft_flowtable *flowtable,
6688 struct sk_buff *skb;
6692 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
6695 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
6699 err = nf_tables_fill_flowtable_info(skb, ctx->net, ctx->portid,
6701 ctx->family, flowtable);
6707 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
6708 ctx->report, GFP_KERNEL);
6711 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
6714 static void nf_tables_flowtable_destroy(struct nft_flowtable *flowtable)
6716 struct nft_hook *hook, *next;
6718 flowtable->data.type->free(&flowtable->data);
6719 list_for_each_entry_safe(hook, next, &flowtable->hook_list, list) {
6720 flowtable->data.type->setup(&flowtable->data, hook->ops.dev,
6722 list_del_rcu(&hook->list);
6725 kfree(flowtable->name);
6726 module_put(flowtable->data.type->owner);
6730 static int nf_tables_fill_gen_info(struct sk_buff *skb, struct net *net,
6731 u32 portid, u32 seq)
6733 struct nlmsghdr *nlh;
6734 struct nfgenmsg *nfmsg;
6735 char buf[TASK_COMM_LEN];
6736 int event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWGEN);
6738 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), 0);
6740 goto nla_put_failure;
6742 nfmsg = nlmsg_data(nlh);
6743 nfmsg->nfgen_family = AF_UNSPEC;
6744 nfmsg->version = NFNETLINK_V0;
6745 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
6747 if (nla_put_be32(skb, NFTA_GEN_ID, htonl(net->nft.base_seq)) ||
6748 nla_put_be32(skb, NFTA_GEN_PROC_PID, htonl(task_pid_nr(current))) ||
6749 nla_put_string(skb, NFTA_GEN_PROC_NAME, get_task_comm(buf, current)))
6750 goto nla_put_failure;
6752 nlmsg_end(skb, nlh);
6756 nlmsg_trim(skb, nlh);
6760 static void nft_flowtable_event(unsigned long event, struct net_device *dev,
6761 struct nft_flowtable *flowtable)
6763 struct nft_hook *hook;
6765 list_for_each_entry(hook, &flowtable->hook_list, list) {
6766 if (hook->ops.dev != dev)
6769 /* flow_offload_netdev_event() cleans up entries for us. */
6770 nft_unregister_flowtable_hook(dev_net(dev), flowtable, hook);
6771 list_del_rcu(&hook->list);
6772 kfree_rcu(hook, rcu);
6777 static int nf_tables_flowtable_event(struct notifier_block *this,
6778 unsigned long event, void *ptr)
6780 struct net_device *dev = netdev_notifier_info_to_dev(ptr);
6781 struct nft_flowtable *flowtable;
6782 struct nft_table *table;
6785 if (event != NETDEV_UNREGISTER)
6789 mutex_lock(&net->nft.commit_mutex);
6790 list_for_each_entry(table, &net->nft.tables, list) {
6791 list_for_each_entry(flowtable, &table->flowtables, list) {
6792 nft_flowtable_event(event, dev, flowtable);
6795 mutex_unlock(&net->nft.commit_mutex);
6800 static struct notifier_block nf_tables_flowtable_notifier = {
6801 .notifier_call = nf_tables_flowtable_event,
6804 static void nf_tables_gen_notify(struct net *net, struct sk_buff *skb,
6807 struct nlmsghdr *nlh = nlmsg_hdr(skb);
6808 struct sk_buff *skb2;
6811 if (nlmsg_report(nlh) &&
6812 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
6815 skb2 = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
6819 err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid,
6826 nfnetlink_send(skb2, net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES,
6827 nlmsg_report(nlh), GFP_KERNEL);
6830 nfnetlink_set_err(net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES,
6834 static int nf_tables_getgen(struct net *net, struct sock *nlsk,
6835 struct sk_buff *skb, const struct nlmsghdr *nlh,
6836 const struct nlattr * const nla[],
6837 struct netlink_ext_ack *extack)
6839 struct sk_buff *skb2;
6842 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
6846 err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid,
6851 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
6857 static const struct nfnl_callback nf_tables_cb[NFT_MSG_MAX] = {
6858 [NFT_MSG_NEWTABLE] = {
6859 .call_batch = nf_tables_newtable,
6860 .attr_count = NFTA_TABLE_MAX,
6861 .policy = nft_table_policy,
6863 [NFT_MSG_GETTABLE] = {
6864 .call_rcu = nf_tables_gettable,
6865 .attr_count = NFTA_TABLE_MAX,
6866 .policy = nft_table_policy,
6868 [NFT_MSG_DELTABLE] = {
6869 .call_batch = nf_tables_deltable,
6870 .attr_count = NFTA_TABLE_MAX,
6871 .policy = nft_table_policy,
6873 [NFT_MSG_NEWCHAIN] = {
6874 .call_batch = nf_tables_newchain,
6875 .attr_count = NFTA_CHAIN_MAX,
6876 .policy = nft_chain_policy,
6878 [NFT_MSG_GETCHAIN] = {
6879 .call_rcu = nf_tables_getchain,
6880 .attr_count = NFTA_CHAIN_MAX,
6881 .policy = nft_chain_policy,
6883 [NFT_MSG_DELCHAIN] = {
6884 .call_batch = nf_tables_delchain,
6885 .attr_count = NFTA_CHAIN_MAX,
6886 .policy = nft_chain_policy,
6888 [NFT_MSG_NEWRULE] = {
6889 .call_batch = nf_tables_newrule,
6890 .attr_count = NFTA_RULE_MAX,
6891 .policy = nft_rule_policy,
6893 [NFT_MSG_GETRULE] = {
6894 .call_rcu = nf_tables_getrule,
6895 .attr_count = NFTA_RULE_MAX,
6896 .policy = nft_rule_policy,
6898 [NFT_MSG_DELRULE] = {
6899 .call_batch = nf_tables_delrule,
6900 .attr_count = NFTA_RULE_MAX,
6901 .policy = nft_rule_policy,
6903 [NFT_MSG_NEWSET] = {
6904 .call_batch = nf_tables_newset,
6905 .attr_count = NFTA_SET_MAX,
6906 .policy = nft_set_policy,
6908 [NFT_MSG_GETSET] = {
6909 .call_rcu = nf_tables_getset,
6910 .attr_count = NFTA_SET_MAX,
6911 .policy = nft_set_policy,
6913 [NFT_MSG_DELSET] = {
6914 .call_batch = nf_tables_delset,
6915 .attr_count = NFTA_SET_MAX,
6916 .policy = nft_set_policy,
6918 [NFT_MSG_NEWSETELEM] = {
6919 .call_batch = nf_tables_newsetelem,
6920 .attr_count = NFTA_SET_ELEM_LIST_MAX,
6921 .policy = nft_set_elem_list_policy,
6923 [NFT_MSG_GETSETELEM] = {
6924 .call_rcu = nf_tables_getsetelem,
6925 .attr_count = NFTA_SET_ELEM_LIST_MAX,
6926 .policy = nft_set_elem_list_policy,
6928 [NFT_MSG_DELSETELEM] = {
6929 .call_batch = nf_tables_delsetelem,
6930 .attr_count = NFTA_SET_ELEM_LIST_MAX,
6931 .policy = nft_set_elem_list_policy,
6933 [NFT_MSG_GETGEN] = {
6934 .call_rcu = nf_tables_getgen,
6936 [NFT_MSG_NEWOBJ] = {
6937 .call_batch = nf_tables_newobj,
6938 .attr_count = NFTA_OBJ_MAX,
6939 .policy = nft_obj_policy,
6941 [NFT_MSG_GETOBJ] = {
6942 .call_rcu = nf_tables_getobj,
6943 .attr_count = NFTA_OBJ_MAX,
6944 .policy = nft_obj_policy,
6946 [NFT_MSG_DELOBJ] = {
6947 .call_batch = nf_tables_delobj,
6948 .attr_count = NFTA_OBJ_MAX,
6949 .policy = nft_obj_policy,
6951 [NFT_MSG_GETOBJ_RESET] = {
6952 .call_rcu = nf_tables_getobj,
6953 .attr_count = NFTA_OBJ_MAX,
6954 .policy = nft_obj_policy,
6956 [NFT_MSG_NEWFLOWTABLE] = {
6957 .call_batch = nf_tables_newflowtable,
6958 .attr_count = NFTA_FLOWTABLE_MAX,
6959 .policy = nft_flowtable_policy,
6961 [NFT_MSG_GETFLOWTABLE] = {
6962 .call_rcu = nf_tables_getflowtable,
6963 .attr_count = NFTA_FLOWTABLE_MAX,
6964 .policy = nft_flowtable_policy,
6966 [NFT_MSG_DELFLOWTABLE] = {
6967 .call_batch = nf_tables_delflowtable,
6968 .attr_count = NFTA_FLOWTABLE_MAX,
6969 .policy = nft_flowtable_policy,
6973 static int nf_tables_validate(struct net *net)
6975 struct nft_table *table;
6977 switch (net->nft.validate_state) {
6978 case NFT_VALIDATE_SKIP:
6980 case NFT_VALIDATE_NEED:
6981 nft_validate_state_update(net, NFT_VALIDATE_DO);
6983 case NFT_VALIDATE_DO:
6984 list_for_each_entry(table, &net->nft.tables, list) {
6985 if (nft_table_validate(net, table) < 0)
6994 /* a drop policy has to be deferred until all rules have been activated,
6995 * otherwise a large ruleset that contains a drop-policy base chain will
6996 * cause all packets to get dropped until the full transaction has been
6999 * We defer the drop policy until the transaction has been finalized.
7001 static void nft_chain_commit_drop_policy(struct nft_trans *trans)
7003 struct nft_base_chain *basechain;
7005 if (nft_trans_chain_policy(trans) != NF_DROP)
7008 if (!nft_is_base_chain(trans->ctx.chain))
7011 basechain = nft_base_chain(trans->ctx.chain);
7012 basechain->policy = NF_DROP;
7015 static void nft_chain_commit_update(struct nft_trans *trans)
7017 struct nft_base_chain *basechain;
7019 if (nft_trans_chain_name(trans)) {
7020 rhltable_remove(&trans->ctx.table->chains_ht,
7021 &trans->ctx.chain->rhlhead,
7022 nft_chain_ht_params);
7023 swap(trans->ctx.chain->name, nft_trans_chain_name(trans));
7024 rhltable_insert_key(&trans->ctx.table->chains_ht,
7025 trans->ctx.chain->name,
7026 &trans->ctx.chain->rhlhead,
7027 nft_chain_ht_params);
7030 if (!nft_is_base_chain(trans->ctx.chain))
7033 nft_chain_stats_replace(trans);
7035 basechain = nft_base_chain(trans->ctx.chain);
7037 switch (nft_trans_chain_policy(trans)) {
7040 basechain->policy = nft_trans_chain_policy(trans);
7045 static void nft_obj_commit_update(struct nft_trans *trans)
7047 struct nft_object *newobj;
7048 struct nft_object *obj;
7050 obj = nft_trans_obj(trans);
7051 newobj = nft_trans_obj_newobj(trans);
7053 if (obj->ops->update)
7054 obj->ops->update(obj, newobj);
7059 static void nft_commit_release(struct nft_trans *trans)
7061 switch (trans->msg_type) {
7062 case NFT_MSG_DELTABLE:
7063 nf_tables_table_destroy(&trans->ctx);
7065 case NFT_MSG_NEWCHAIN:
7066 free_percpu(nft_trans_chain_stats(trans));
7067 kfree(nft_trans_chain_name(trans));
7069 case NFT_MSG_DELCHAIN:
7070 nf_tables_chain_destroy(&trans->ctx);
7072 case NFT_MSG_DELRULE:
7073 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
7075 case NFT_MSG_DELSET:
7076 nft_set_destroy(&trans->ctx, nft_trans_set(trans));
7078 case NFT_MSG_DELSETELEM:
7079 nf_tables_set_elem_destroy(&trans->ctx,
7080 nft_trans_elem_set(trans),
7081 nft_trans_elem(trans).priv);
7083 case NFT_MSG_DELOBJ:
7084 nft_obj_destroy(&trans->ctx, nft_trans_obj(trans));
7086 case NFT_MSG_DELFLOWTABLE:
7087 nf_tables_flowtable_destroy(nft_trans_flowtable(trans));
7092 put_net(trans->ctx.net);
7097 static void nf_tables_trans_destroy_work(struct work_struct *w)
7099 struct nft_trans *trans, *next;
7102 spin_lock(&nf_tables_destroy_list_lock);
7103 list_splice_init(&nf_tables_destroy_list, &head);
7104 spin_unlock(&nf_tables_destroy_list_lock);
7106 if (list_empty(&head))
7111 list_for_each_entry_safe(trans, next, &head, list) {
7112 list_del(&trans->list);
7113 nft_commit_release(trans);
7117 static int nf_tables_commit_chain_prepare(struct net *net, struct nft_chain *chain)
7119 struct nft_rule *rule;
7120 unsigned int alloc = 0;
7123 /* already handled or inactive chain? */
7124 if (chain->rules_next || !nft_is_active_next(net, chain))
7127 rule = list_entry(&chain->rules, struct nft_rule, list);
7130 list_for_each_entry_continue(rule, &chain->rules, list) {
7131 if (nft_is_active_next(net, rule))
7135 chain->rules_next = nf_tables_chain_alloc_rules(chain, alloc);
7136 if (!chain->rules_next)
7139 list_for_each_entry_continue(rule, &chain->rules, list) {
7140 if (nft_is_active_next(net, rule))
7141 chain->rules_next[i++] = rule;
7144 chain->rules_next[i] = NULL;
7148 static void nf_tables_commit_chain_prepare_cancel(struct net *net)
7150 struct nft_trans *trans, *next;
7152 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
7153 struct nft_chain *chain = trans->ctx.chain;
7155 if (trans->msg_type == NFT_MSG_NEWRULE ||
7156 trans->msg_type == NFT_MSG_DELRULE) {
7157 kvfree(chain->rules_next);
7158 chain->rules_next = NULL;
7163 static void __nf_tables_commit_chain_free_rules_old(struct rcu_head *h)
7165 struct nft_rules_old *o = container_of(h, struct nft_rules_old, h);
7170 static void nf_tables_commit_chain_free_rules_old(struct nft_rule **rules)
7172 struct nft_rule **r = rules;
7173 struct nft_rules_old *old;
7178 r++; /* rcu_head is after end marker */
7182 call_rcu(&old->h, __nf_tables_commit_chain_free_rules_old);
7185 static void nf_tables_commit_chain(struct net *net, struct nft_chain *chain)
7187 struct nft_rule **g0, **g1;
7190 next_genbit = nft_gencursor_next(net);
7192 g0 = rcu_dereference_protected(chain->rules_gen_0,
7193 lockdep_commit_lock_is_held(net));
7194 g1 = rcu_dereference_protected(chain->rules_gen_1,
7195 lockdep_commit_lock_is_held(net));
7197 /* No changes to this chain? */
7198 if (chain->rules_next == NULL) {
7199 /* chain had no change in last or next generation */
7203 * chain had no change in this generation; make sure next
7204 * one uses same rules as current generation.
7207 rcu_assign_pointer(chain->rules_gen_1, g0);
7208 nf_tables_commit_chain_free_rules_old(g1);
7210 rcu_assign_pointer(chain->rules_gen_0, g1);
7211 nf_tables_commit_chain_free_rules_old(g0);
7218 rcu_assign_pointer(chain->rules_gen_1, chain->rules_next);
7220 rcu_assign_pointer(chain->rules_gen_0, chain->rules_next);
7222 chain->rules_next = NULL;
7228 nf_tables_commit_chain_free_rules_old(g1);
7230 nf_tables_commit_chain_free_rules_old(g0);
7233 static void nft_obj_del(struct nft_object *obj)
7235 rhltable_remove(&nft_objname_ht, &obj->rhlhead, nft_objname_ht_params);
7236 list_del_rcu(&obj->list);
7239 static void nft_chain_del(struct nft_chain *chain)
7241 struct nft_table *table = chain->table;
7243 WARN_ON_ONCE(rhltable_remove(&table->chains_ht, &chain->rhlhead,
7244 nft_chain_ht_params));
7245 list_del_rcu(&chain->list);
7248 static void nf_tables_module_autoload_cleanup(struct net *net)
7250 struct nft_module_request *req, *next;
7252 WARN_ON_ONCE(!list_empty(&net->nft.commit_list));
7253 list_for_each_entry_safe(req, next, &net->nft.module_list, list) {
7254 WARN_ON_ONCE(!req->done);
7255 list_del(&req->list);
7260 static void nf_tables_commit_release(struct net *net)
7262 struct nft_trans *trans;
7264 /* all side effects have to be made visible.
7265 * For example, if a chain named 'foo' has been deleted, a
7266 * new transaction must not find it anymore.
7268 * Memory reclaim happens asynchronously from work queue
7269 * to prevent expensive synchronize_rcu() in commit phase.
7271 if (list_empty(&net->nft.commit_list)) {
7272 nf_tables_module_autoload_cleanup(net);
7273 mutex_unlock(&net->nft.commit_mutex);
7277 trans = list_last_entry(&net->nft.commit_list,
7278 struct nft_trans, list);
7279 get_net(trans->ctx.net);
7280 WARN_ON_ONCE(trans->put_net);
7282 trans->put_net = true;
7283 spin_lock(&nf_tables_destroy_list_lock);
7284 list_splice_tail_init(&net->nft.commit_list, &nf_tables_destroy_list);
7285 spin_unlock(&nf_tables_destroy_list_lock);
7287 nf_tables_module_autoload_cleanup(net);
7288 mutex_unlock(&net->nft.commit_mutex);
7290 schedule_work(&trans_destroy_work);
7293 static int nf_tables_commit(struct net *net, struct sk_buff *skb)
7295 struct nft_trans *trans, *next;
7296 struct nft_trans_elem *te;
7297 struct nft_chain *chain;
7298 struct nft_table *table;
7301 if (list_empty(&net->nft.commit_list)) {
7302 mutex_unlock(&net->nft.commit_mutex);
7306 /* 0. Validate ruleset, otherwise roll back for error reporting. */
7307 if (nf_tables_validate(net) < 0)
7310 err = nft_flow_rule_offload_commit(net);
7314 /* 1. Allocate space for next generation rules_gen_X[] */
7315 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
7318 if (trans->msg_type == NFT_MSG_NEWRULE ||
7319 trans->msg_type == NFT_MSG_DELRULE) {
7320 chain = trans->ctx.chain;
7322 ret = nf_tables_commit_chain_prepare(net, chain);
7324 nf_tables_commit_chain_prepare_cancel(net);
7330 /* step 2. Make rules_gen_X visible to packet path */
7331 list_for_each_entry(table, &net->nft.tables, list) {
7332 list_for_each_entry(chain, &table->chains, list)
7333 nf_tables_commit_chain(net, chain);
7337 * Bump generation counter, invalidate any dump in progress.
7338 * Cannot fail after this point.
7340 while (++net->nft.base_seq == 0);
7342 /* step 3. Start new generation, rules_gen_X now in use. */
7343 net->nft.gencursor = nft_gencursor_next(net);
7345 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
7346 switch (trans->msg_type) {
7347 case NFT_MSG_NEWTABLE:
7348 if (nft_trans_table_update(trans)) {
7349 if (!nft_trans_table_enable(trans)) {
7350 nf_tables_table_disable(net,
7352 trans->ctx.table->flags |= NFT_TABLE_F_DORMANT;
7355 nft_clear(net, trans->ctx.table);
7357 nf_tables_table_notify(&trans->ctx, NFT_MSG_NEWTABLE);
7358 nft_trans_destroy(trans);
7360 case NFT_MSG_DELTABLE:
7361 list_del_rcu(&trans->ctx.table->list);
7362 nf_tables_table_notify(&trans->ctx, NFT_MSG_DELTABLE);
7364 case NFT_MSG_NEWCHAIN:
7365 if (nft_trans_chain_update(trans)) {
7366 nft_chain_commit_update(trans);
7367 nf_tables_chain_notify(&trans->ctx, NFT_MSG_NEWCHAIN);
7368 /* trans destroyed after rcu grace period */
7370 nft_chain_commit_drop_policy(trans);
7371 nft_clear(net, trans->ctx.chain);
7372 nf_tables_chain_notify(&trans->ctx, NFT_MSG_NEWCHAIN);
7373 nft_trans_destroy(trans);
7376 case NFT_MSG_DELCHAIN:
7377 nft_chain_del(trans->ctx.chain);
7378 nf_tables_chain_notify(&trans->ctx, NFT_MSG_DELCHAIN);
7379 nf_tables_unregister_hook(trans->ctx.net,
7383 case NFT_MSG_NEWRULE:
7384 nft_clear(trans->ctx.net, nft_trans_rule(trans));
7385 nf_tables_rule_notify(&trans->ctx,
7386 nft_trans_rule(trans),
7388 nft_trans_destroy(trans);
7390 case NFT_MSG_DELRULE:
7391 list_del_rcu(&nft_trans_rule(trans)->list);
7392 nf_tables_rule_notify(&trans->ctx,
7393 nft_trans_rule(trans),
7395 nft_rule_expr_deactivate(&trans->ctx,
7396 nft_trans_rule(trans),
7399 case NFT_MSG_NEWSET:
7400 nft_clear(net, nft_trans_set(trans));
7401 /* This avoids hitting -EBUSY when deleting the table
7402 * from the transaction.
7404 if (nft_set_is_anonymous(nft_trans_set(trans)) &&
7405 !list_empty(&nft_trans_set(trans)->bindings))
7406 trans->ctx.table->use--;
7408 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
7409 NFT_MSG_NEWSET, GFP_KERNEL);
7410 nft_trans_destroy(trans);
7412 case NFT_MSG_DELSET:
7413 list_del_rcu(&nft_trans_set(trans)->list);
7414 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
7415 NFT_MSG_DELSET, GFP_KERNEL);
7417 case NFT_MSG_NEWSETELEM:
7418 te = (struct nft_trans_elem *)trans->data;
7420 te->set->ops->activate(net, te->set, &te->elem);
7421 nf_tables_setelem_notify(&trans->ctx, te->set,
7423 NFT_MSG_NEWSETELEM, 0);
7424 nft_trans_destroy(trans);
7426 case NFT_MSG_DELSETELEM:
7427 te = (struct nft_trans_elem *)trans->data;
7429 nf_tables_setelem_notify(&trans->ctx, te->set,
7431 NFT_MSG_DELSETELEM, 0);
7432 te->set->ops->remove(net, te->set, &te->elem);
7433 atomic_dec(&te->set->nelems);
7436 case NFT_MSG_NEWOBJ:
7437 if (nft_trans_obj_update(trans)) {
7438 nft_obj_commit_update(trans);
7439 nf_tables_obj_notify(&trans->ctx,
7440 nft_trans_obj(trans),
7443 nft_clear(net, nft_trans_obj(trans));
7444 nf_tables_obj_notify(&trans->ctx,
7445 nft_trans_obj(trans),
7447 nft_trans_destroy(trans);
7450 case NFT_MSG_DELOBJ:
7451 nft_obj_del(nft_trans_obj(trans));
7452 nf_tables_obj_notify(&trans->ctx, nft_trans_obj(trans),
7455 case NFT_MSG_NEWFLOWTABLE:
7456 nft_clear(net, nft_trans_flowtable(trans));
7457 nf_tables_flowtable_notify(&trans->ctx,
7458 nft_trans_flowtable(trans),
7459 NFT_MSG_NEWFLOWTABLE);
7460 nft_trans_destroy(trans);
7462 case NFT_MSG_DELFLOWTABLE:
7463 list_del_rcu(&nft_trans_flowtable(trans)->list);
7464 nf_tables_flowtable_notify(&trans->ctx,
7465 nft_trans_flowtable(trans),
7466 NFT_MSG_DELFLOWTABLE);
7467 nft_unregister_flowtable_net_hooks(net,
7468 nft_trans_flowtable(trans));
7473 nf_tables_gen_notify(net, skb, NFT_MSG_NEWGEN);
7474 nf_tables_commit_release(net);
7479 static void nf_tables_module_autoload(struct net *net)
7481 struct nft_module_request *req, *next;
7482 LIST_HEAD(module_list);
7484 list_splice_init(&net->nft.module_list, &module_list);
7485 mutex_unlock(&net->nft.commit_mutex);
7486 list_for_each_entry_safe(req, next, &module_list, list) {
7487 request_module("%s", req->module);
7490 mutex_lock(&net->nft.commit_mutex);
7491 list_splice(&module_list, &net->nft.module_list);
7494 static void nf_tables_abort_release(struct nft_trans *trans)
7496 switch (trans->msg_type) {
7497 case NFT_MSG_NEWTABLE:
7498 nf_tables_table_destroy(&trans->ctx);
7500 case NFT_MSG_NEWCHAIN:
7501 nf_tables_chain_destroy(&trans->ctx);
7503 case NFT_MSG_NEWRULE:
7504 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
7506 case NFT_MSG_NEWSET:
7507 nft_set_destroy(&trans->ctx, nft_trans_set(trans));
7509 case NFT_MSG_NEWSETELEM:
7510 nft_set_elem_destroy(nft_trans_elem_set(trans),
7511 nft_trans_elem(trans).priv, true);
7513 case NFT_MSG_NEWOBJ:
7514 nft_obj_destroy(&trans->ctx, nft_trans_obj(trans));
7516 case NFT_MSG_NEWFLOWTABLE:
7517 nf_tables_flowtable_destroy(nft_trans_flowtable(trans));
7523 static int __nf_tables_abort(struct net *net, bool autoload)
7525 struct nft_trans *trans, *next;
7526 struct nft_trans_elem *te;
7528 list_for_each_entry_safe_reverse(trans, next, &net->nft.commit_list,
7530 switch (trans->msg_type) {
7531 case NFT_MSG_NEWTABLE:
7532 if (nft_trans_table_update(trans)) {
7533 if (nft_trans_table_enable(trans)) {
7534 nf_tables_table_disable(net,
7536 trans->ctx.table->flags |= NFT_TABLE_F_DORMANT;
7538 nft_trans_destroy(trans);
7540 list_del_rcu(&trans->ctx.table->list);
7543 case NFT_MSG_DELTABLE:
7544 nft_clear(trans->ctx.net, trans->ctx.table);
7545 nft_trans_destroy(trans);
7547 case NFT_MSG_NEWCHAIN:
7548 if (nft_trans_chain_update(trans)) {
7549 free_percpu(nft_trans_chain_stats(trans));
7550 kfree(nft_trans_chain_name(trans));
7551 nft_trans_destroy(trans);
7553 trans->ctx.table->use--;
7554 nft_chain_del(trans->ctx.chain);
7555 nf_tables_unregister_hook(trans->ctx.net,
7560 case NFT_MSG_DELCHAIN:
7561 trans->ctx.table->use++;
7562 nft_clear(trans->ctx.net, trans->ctx.chain);
7563 nft_trans_destroy(trans);
7565 case NFT_MSG_NEWRULE:
7566 trans->ctx.chain->use--;
7567 list_del_rcu(&nft_trans_rule(trans)->list);
7568 nft_rule_expr_deactivate(&trans->ctx,
7569 nft_trans_rule(trans),
7572 case NFT_MSG_DELRULE:
7573 trans->ctx.chain->use++;
7574 nft_clear(trans->ctx.net, nft_trans_rule(trans));
7575 nft_rule_expr_activate(&trans->ctx, nft_trans_rule(trans));
7576 nft_trans_destroy(trans);
7578 case NFT_MSG_NEWSET:
7579 trans->ctx.table->use--;
7580 if (nft_trans_set_bound(trans)) {
7581 nft_trans_destroy(trans);
7584 list_del_rcu(&nft_trans_set(trans)->list);
7586 case NFT_MSG_DELSET:
7587 trans->ctx.table->use++;
7588 nft_clear(trans->ctx.net, nft_trans_set(trans));
7589 nft_trans_destroy(trans);
7591 case NFT_MSG_NEWSETELEM:
7592 if (nft_trans_elem_set_bound(trans)) {
7593 nft_trans_destroy(trans);
7596 te = (struct nft_trans_elem *)trans->data;
7597 te->set->ops->remove(net, te->set, &te->elem);
7598 atomic_dec(&te->set->nelems);
7600 case NFT_MSG_DELSETELEM:
7601 te = (struct nft_trans_elem *)trans->data;
7603 nft_set_elem_activate(net, te->set, &te->elem);
7604 te->set->ops->activate(net, te->set, &te->elem);
7607 nft_trans_destroy(trans);
7609 case NFT_MSG_NEWOBJ:
7610 if (nft_trans_obj_update(trans)) {
7611 kfree(nft_trans_obj_newobj(trans));
7612 nft_trans_destroy(trans);
7614 trans->ctx.table->use--;
7615 nft_obj_del(nft_trans_obj(trans));
7618 case NFT_MSG_DELOBJ:
7619 trans->ctx.table->use++;
7620 nft_clear(trans->ctx.net, nft_trans_obj(trans));
7621 nft_trans_destroy(trans);
7623 case NFT_MSG_NEWFLOWTABLE:
7624 trans->ctx.table->use--;
7625 list_del_rcu(&nft_trans_flowtable(trans)->list);
7626 nft_unregister_flowtable_net_hooks(net,
7627 nft_trans_flowtable(trans));
7629 case NFT_MSG_DELFLOWTABLE:
7630 trans->ctx.table->use++;
7631 nft_clear(trans->ctx.net, nft_trans_flowtable(trans));
7632 nft_trans_destroy(trans);
7639 list_for_each_entry_safe_reverse(trans, next,
7640 &net->nft.commit_list, list) {
7641 list_del(&trans->list);
7642 nf_tables_abort_release(trans);
7646 nf_tables_module_autoload(net);
7648 nf_tables_module_autoload_cleanup(net);
7653 static void nf_tables_cleanup(struct net *net)
7655 nft_validate_state_update(net, NFT_VALIDATE_SKIP);
7658 static int nf_tables_abort(struct net *net, struct sk_buff *skb, bool autoload)
7660 int ret = __nf_tables_abort(net, autoload);
7662 mutex_unlock(&net->nft.commit_mutex);
7667 static bool nf_tables_valid_genid(struct net *net, u32 genid)
7671 mutex_lock(&net->nft.commit_mutex);
7673 genid_ok = genid == 0 || net->nft.base_seq == genid;
7675 mutex_unlock(&net->nft.commit_mutex);
7677 /* else, commit mutex has to be released by commit or abort function */
7681 static const struct nfnetlink_subsystem nf_tables_subsys = {
7682 .name = "nf_tables",
7683 .subsys_id = NFNL_SUBSYS_NFTABLES,
7684 .cb_count = NFT_MSG_MAX,
7686 .commit = nf_tables_commit,
7687 .abort = nf_tables_abort,
7688 .cleanup = nf_tables_cleanup,
7689 .valid_genid = nf_tables_valid_genid,
7690 .owner = THIS_MODULE,
7693 int nft_chain_validate_dependency(const struct nft_chain *chain,
7694 enum nft_chain_types type)
7696 const struct nft_base_chain *basechain;
7698 if (nft_is_base_chain(chain)) {
7699 basechain = nft_base_chain(chain);
7700 if (basechain->type->type != type)
7705 EXPORT_SYMBOL_GPL(nft_chain_validate_dependency);
7707 int nft_chain_validate_hooks(const struct nft_chain *chain,
7708 unsigned int hook_flags)
7710 struct nft_base_chain *basechain;
7712 if (nft_is_base_chain(chain)) {
7713 basechain = nft_base_chain(chain);
7715 if ((1 << basechain->ops.hooknum) & hook_flags)
7723 EXPORT_SYMBOL_GPL(nft_chain_validate_hooks);
7726 * Loop detection - walk through the ruleset beginning at the destination chain
7727 * of a new jump until either the source chain is reached (loop) or all
7728 * reachable chains have been traversed.
7730 * The loop check is performed whenever a new jump verdict is added to an
7731 * expression or verdict map or a verdict map is bound to a new chain.
7734 static int nf_tables_check_loops(const struct nft_ctx *ctx,
7735 const struct nft_chain *chain);
7737 static int nf_tables_loop_check_setelem(const struct nft_ctx *ctx,
7738 struct nft_set *set,
7739 const struct nft_set_iter *iter,
7740 struct nft_set_elem *elem)
7742 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
7743 const struct nft_data *data;
7745 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
7746 *nft_set_ext_flags(ext) & NFT_SET_ELEM_INTERVAL_END)
7749 data = nft_set_ext_data(ext);
7750 switch (data->verdict.code) {
7753 return nf_tables_check_loops(ctx, data->verdict.chain);
7759 static int nf_tables_check_loops(const struct nft_ctx *ctx,
7760 const struct nft_chain *chain)
7762 const struct nft_rule *rule;
7763 const struct nft_expr *expr, *last;
7764 struct nft_set *set;
7765 struct nft_set_binding *binding;
7766 struct nft_set_iter iter;
7768 if (ctx->chain == chain)
7771 list_for_each_entry(rule, &chain->rules, list) {
7772 nft_rule_for_each_expr(expr, last, rule) {
7773 struct nft_immediate_expr *priv;
7774 const struct nft_data *data;
7777 if (strcmp(expr->ops->type->name, "immediate"))
7780 priv = nft_expr_priv(expr);
7781 if (priv->dreg != NFT_REG_VERDICT)
7785 switch (data->verdict.code) {
7788 err = nf_tables_check_loops(ctx,
7789 data->verdict.chain);
7798 list_for_each_entry(set, &ctx->table->sets, list) {
7799 if (!nft_is_active_next(ctx->net, set))
7801 if (!(set->flags & NFT_SET_MAP) ||
7802 set->dtype != NFT_DATA_VERDICT)
7805 list_for_each_entry(binding, &set->bindings, list) {
7806 if (!(binding->flags & NFT_SET_MAP) ||
7807 binding->chain != chain)
7810 iter.genmask = nft_genmask_next(ctx->net);
7814 iter.fn = nf_tables_loop_check_setelem;
7816 set->ops->walk(ctx, set, &iter);
7826 * nft_parse_u32_check - fetch u32 attribute and check for maximum value
7828 * @attr: netlink attribute to fetch value from
7829 * @max: maximum value to be stored in dest
7830 * @dest: pointer to the variable
7832 * Parse, check and store a given u32 netlink attribute into variable.
7833 * This function returns -ERANGE if the value goes over maximum value.
7834 * Otherwise a 0 is returned and the attribute value is stored in the
7835 * destination variable.
7837 int nft_parse_u32_check(const struct nlattr *attr, int max, u32 *dest)
7841 val = ntohl(nla_get_be32(attr));
7848 EXPORT_SYMBOL_GPL(nft_parse_u32_check);
7851 * nft_parse_register - parse a register value from a netlink attribute
7853 * @attr: netlink attribute
7855 * Parse and translate a register value from a netlink attribute.
7856 * Registers used to be 128 bit wide, these register numbers will be
7857 * mapped to the corresponding 32 bit register numbers.
7859 unsigned int nft_parse_register(const struct nlattr *attr)
7863 reg = ntohl(nla_get_be32(attr));
7865 case NFT_REG_VERDICT...NFT_REG_4:
7866 return reg * NFT_REG_SIZE / NFT_REG32_SIZE;
7868 return reg + NFT_REG_SIZE / NFT_REG32_SIZE - NFT_REG32_00;
7871 EXPORT_SYMBOL_GPL(nft_parse_register);
7874 * nft_dump_register - dump a register value to a netlink attribute
7876 * @skb: socket buffer
7877 * @attr: attribute number
7878 * @reg: register number
7880 * Construct a netlink attribute containing the register number. For
7881 * compatibility reasons, register numbers being a multiple of 4 are
7882 * translated to the corresponding 128 bit register numbers.
7884 int nft_dump_register(struct sk_buff *skb, unsigned int attr, unsigned int reg)
7886 if (reg % (NFT_REG_SIZE / NFT_REG32_SIZE) == 0)
7887 reg = reg / (NFT_REG_SIZE / NFT_REG32_SIZE);
7889 reg = reg - NFT_REG_SIZE / NFT_REG32_SIZE + NFT_REG32_00;
7891 return nla_put_be32(skb, attr, htonl(reg));
7893 EXPORT_SYMBOL_GPL(nft_dump_register);
7896 * nft_validate_register_load - validate a load from a register
7898 * @reg: the register number
7899 * @len: the length of the data
7901 * Validate that the input register is one of the general purpose
7902 * registers and that the length of the load is within the bounds.
7904 int nft_validate_register_load(enum nft_registers reg, unsigned int len)
7906 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
7910 if (reg * NFT_REG32_SIZE + len > sizeof_field(struct nft_regs, data))
7915 EXPORT_SYMBOL_GPL(nft_validate_register_load);
7918 * nft_validate_register_store - validate an expressions' register store
7920 * @ctx: context of the expression performing the load
7921 * @reg: the destination register number
7922 * @data: the data to load
7923 * @type: the data type
7924 * @len: the length of the data
7926 * Validate that a data load uses the appropriate data type for
7927 * the destination register and the length is within the bounds.
7928 * A value of NULL for the data means that its runtime gathered
7931 int nft_validate_register_store(const struct nft_ctx *ctx,
7932 enum nft_registers reg,
7933 const struct nft_data *data,
7934 enum nft_data_types type, unsigned int len)
7939 case NFT_REG_VERDICT:
7940 if (type != NFT_DATA_VERDICT)
7944 (data->verdict.code == NFT_GOTO ||
7945 data->verdict.code == NFT_JUMP)) {
7946 err = nf_tables_check_loops(ctx, data->verdict.chain);
7953 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
7957 if (reg * NFT_REG32_SIZE + len >
7958 sizeof_field(struct nft_regs, data))
7961 if (data != NULL && type != NFT_DATA_VALUE)
7966 EXPORT_SYMBOL_GPL(nft_validate_register_store);
7968 static const struct nla_policy nft_verdict_policy[NFTA_VERDICT_MAX + 1] = {
7969 [NFTA_VERDICT_CODE] = { .type = NLA_U32 },
7970 [NFTA_VERDICT_CHAIN] = { .type = NLA_STRING,
7971 .len = NFT_CHAIN_MAXNAMELEN - 1 },
7974 static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data,
7975 struct nft_data_desc *desc, const struct nlattr *nla)
7977 u8 genmask = nft_genmask_next(ctx->net);
7978 struct nlattr *tb[NFTA_VERDICT_MAX + 1];
7979 struct nft_chain *chain;
7982 err = nla_parse_nested_deprecated(tb, NFTA_VERDICT_MAX, nla,
7983 nft_verdict_policy, NULL);
7987 if (!tb[NFTA_VERDICT_CODE])
7989 data->verdict.code = ntohl(nla_get_be32(tb[NFTA_VERDICT_CODE]));
7991 switch (data->verdict.code) {
7993 switch (data->verdict.code & NF_VERDICT_MASK) {
8008 if (!tb[NFTA_VERDICT_CHAIN])
8010 chain = nft_chain_lookup(ctx->net, ctx->table,
8011 tb[NFTA_VERDICT_CHAIN], genmask);
8013 return PTR_ERR(chain);
8014 if (nft_is_base_chain(chain))
8018 data->verdict.chain = chain;
8022 desc->len = sizeof(data->verdict);
8023 desc->type = NFT_DATA_VERDICT;
8027 static void nft_verdict_uninit(const struct nft_data *data)
8029 switch (data->verdict.code) {
8032 data->verdict.chain->use--;
8037 int nft_verdict_dump(struct sk_buff *skb, int type, const struct nft_verdict *v)
8039 struct nlattr *nest;
8041 nest = nla_nest_start_noflag(skb, type);
8043 goto nla_put_failure;
8045 if (nla_put_be32(skb, NFTA_VERDICT_CODE, htonl(v->code)))
8046 goto nla_put_failure;
8051 if (nla_put_string(skb, NFTA_VERDICT_CHAIN,
8053 goto nla_put_failure;
8055 nla_nest_end(skb, nest);
8062 static int nft_value_init(const struct nft_ctx *ctx,
8063 struct nft_data *data, unsigned int size,
8064 struct nft_data_desc *desc, const struct nlattr *nla)
8074 nla_memcpy(data->data, nla, len);
8075 desc->type = NFT_DATA_VALUE;
8080 static int nft_value_dump(struct sk_buff *skb, const struct nft_data *data,
8083 return nla_put(skb, NFTA_DATA_VALUE, len, data->data);
8086 static const struct nla_policy nft_data_policy[NFTA_DATA_MAX + 1] = {
8087 [NFTA_DATA_VALUE] = { .type = NLA_BINARY },
8088 [NFTA_DATA_VERDICT] = { .type = NLA_NESTED },
8092 * nft_data_init - parse nf_tables data netlink attributes
8094 * @ctx: context of the expression using the data
8095 * @data: destination struct nft_data
8096 * @size: maximum data length
8097 * @desc: data description
8098 * @nla: netlink attribute containing data
8100 * Parse the netlink data attributes and initialize a struct nft_data.
8101 * The type and length of data are returned in the data description.
8103 * The caller can indicate that it only wants to accept data of type
8104 * NFT_DATA_VALUE by passing NULL for the ctx argument.
8106 int nft_data_init(const struct nft_ctx *ctx,
8107 struct nft_data *data, unsigned int size,
8108 struct nft_data_desc *desc, const struct nlattr *nla)
8110 struct nlattr *tb[NFTA_DATA_MAX + 1];
8113 err = nla_parse_nested_deprecated(tb, NFTA_DATA_MAX, nla,
8114 nft_data_policy, NULL);
8118 if (tb[NFTA_DATA_VALUE])
8119 return nft_value_init(ctx, data, size, desc,
8120 tb[NFTA_DATA_VALUE]);
8121 if (tb[NFTA_DATA_VERDICT] && ctx != NULL)
8122 return nft_verdict_init(ctx, data, desc, tb[NFTA_DATA_VERDICT]);
8125 EXPORT_SYMBOL_GPL(nft_data_init);
8128 * nft_data_release - release a nft_data item
8130 * @data: struct nft_data to release
8131 * @type: type of data
8133 * Release a nft_data item. NFT_DATA_VALUE types can be silently discarded,
8134 * all others need to be released by calling this function.
8136 void nft_data_release(const struct nft_data *data, enum nft_data_types type)
8138 if (type < NFT_DATA_VERDICT)
8141 case NFT_DATA_VERDICT:
8142 return nft_verdict_uninit(data);
8147 EXPORT_SYMBOL_GPL(nft_data_release);
8149 int nft_data_dump(struct sk_buff *skb, int attr, const struct nft_data *data,
8150 enum nft_data_types type, unsigned int len)
8152 struct nlattr *nest;
8155 nest = nla_nest_start_noflag(skb, attr);
8160 case NFT_DATA_VALUE:
8161 err = nft_value_dump(skb, data, len);
8163 case NFT_DATA_VERDICT:
8164 err = nft_verdict_dump(skb, NFTA_DATA_VERDICT, &data->verdict);
8171 nla_nest_end(skb, nest);
8174 EXPORT_SYMBOL_GPL(nft_data_dump);
8176 int __nft_release_basechain(struct nft_ctx *ctx)
8178 struct nft_rule *rule, *nr;
8180 if (WARN_ON(!nft_is_base_chain(ctx->chain)))
8183 nf_tables_unregister_hook(ctx->net, ctx->chain->table, ctx->chain);
8184 list_for_each_entry_safe(rule, nr, &ctx->chain->rules, list) {
8185 list_del(&rule->list);
8187 nf_tables_rule_release(ctx, rule);
8189 nft_chain_del(ctx->chain);
8191 nf_tables_chain_destroy(ctx);
8195 EXPORT_SYMBOL_GPL(__nft_release_basechain);
8197 static void __nft_release_tables(struct net *net)
8199 struct nft_flowtable *flowtable, *nf;
8200 struct nft_table *table, *nt;
8201 struct nft_chain *chain, *nc;
8202 struct nft_object *obj, *ne;
8203 struct nft_rule *rule, *nr;
8204 struct nft_set *set, *ns;
8205 struct nft_ctx ctx = {
8207 .family = NFPROTO_NETDEV,
8210 list_for_each_entry_safe(table, nt, &net->nft.tables, list) {
8211 ctx.family = table->family;
8213 list_for_each_entry(chain, &table->chains, list)
8214 nf_tables_unregister_hook(net, table, chain);
8215 /* No packets are walking on these chains anymore. */
8217 list_for_each_entry(chain, &table->chains, list) {
8219 list_for_each_entry_safe(rule, nr, &chain->rules, list) {
8220 list_del(&rule->list);
8222 nf_tables_rule_release(&ctx, rule);
8225 list_for_each_entry_safe(flowtable, nf, &table->flowtables, list) {
8226 list_del(&flowtable->list);
8228 nf_tables_flowtable_destroy(flowtable);
8230 list_for_each_entry_safe(set, ns, &table->sets, list) {
8231 list_del(&set->list);
8233 nft_set_destroy(&ctx, set);
8235 list_for_each_entry_safe(obj, ne, &table->objects, list) {
8238 nft_obj_destroy(&ctx, obj);
8240 list_for_each_entry_safe(chain, nc, &table->chains, list) {
8242 nft_chain_del(chain);
8244 nf_tables_chain_destroy(&ctx);
8246 list_del(&table->list);
8247 nf_tables_table_destroy(&ctx);
8251 static int __net_init nf_tables_init_net(struct net *net)
8253 INIT_LIST_HEAD(&net->nft.tables);
8254 INIT_LIST_HEAD(&net->nft.commit_list);
8255 INIT_LIST_HEAD(&net->nft.module_list);
8256 mutex_init(&net->nft.commit_mutex);
8257 net->nft.base_seq = 1;
8258 net->nft.validate_state = NFT_VALIDATE_SKIP;
8263 static void __net_exit nf_tables_exit_net(struct net *net)
8265 mutex_lock(&net->nft.commit_mutex);
8266 if (!list_empty(&net->nft.commit_list))
8267 __nf_tables_abort(net, false);
8268 __nft_release_tables(net);
8269 mutex_unlock(&net->nft.commit_mutex);
8270 WARN_ON_ONCE(!list_empty(&net->nft.tables));
8271 WARN_ON_ONCE(!list_empty(&net->nft.module_list));
8274 static struct pernet_operations nf_tables_net_ops = {
8275 .init = nf_tables_init_net,
8276 .exit = nf_tables_exit_net,
8279 static int __init nf_tables_module_init(void)
8283 spin_lock_init(&nf_tables_destroy_list_lock);
8284 err = register_pernet_subsys(&nf_tables_net_ops);
8288 err = nft_chain_filter_init();
8292 err = nf_tables_core_module_init();
8296 err = register_netdevice_notifier(&nf_tables_flowtable_notifier);
8300 err = rhltable_init(&nft_objname_ht, &nft_objname_ht_params);
8304 err = nft_offload_init();
8309 err = nfnetlink_subsys_register(&nf_tables_subsys);
8313 nft_chain_route_init();
8319 rhltable_destroy(&nft_objname_ht);
8321 unregister_netdevice_notifier(&nf_tables_flowtable_notifier);
8323 nf_tables_core_module_exit();
8325 nft_chain_filter_fini();
8327 unregister_pernet_subsys(&nf_tables_net_ops);
8331 static void __exit nf_tables_module_exit(void)
8333 nfnetlink_subsys_unregister(&nf_tables_subsys);
8335 unregister_netdevice_notifier(&nf_tables_flowtable_notifier);
8336 nft_chain_filter_fini();
8337 nft_chain_route_fini();
8338 unregister_pernet_subsys(&nf_tables_net_ops);
8339 cancel_work_sync(&trans_destroy_work);
8341 rhltable_destroy(&nft_objname_ht);
8342 nf_tables_core_module_exit();
8345 module_init(nf_tables_module_init);
8346 module_exit(nf_tables_module_exit);
8348 MODULE_LICENSE("GPL");
8349 MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
8350 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_NFTABLES);
projects / platform / kernel / linux-starfive.git / blob